Apple's High Sierra operating system has a bug allowing anyone to become an admin.

Huge Security Flaw Lets Basically Anyone Log In to a Mac Running High Sierra

Huge Security Flaw Lets Basically Anyone Log In to a Mac Running High Sierra

Future Tense
The Citizen's Guide to the Future
Nov. 28 2017 6:58 PM

Huge Security Flaw Lets Basically Anyone Log In to a Mac Running High Sierra

USITAPPLEDEVELOPERS
There's a huge security flaw in Apple's latest operating system.

JOSH EDELSON/AFP/Getty Images

Apple’s latest operating system, macOS High Sierra, has a huge security flaw that allows pretty much anyone to log in. As a self-described "software craftsman" in Turkey revealed Tuesday on Twitter, anyone can access a Mac running the software by simply clicking “other” on the login screen and entering “root” in the username field. There’s no need for a password.

Here’s what’s happening. Unix-based operating systems like OS X have a built-in superuser­ called “root” that has total access to all of the computer’s commands and files. Even in IT, “root” is not recommended for administrative access—that’s how powerful it is. However, it appears that a hole in macOS High Sierra’s security programming allows pretty much anyone to assume this omnipotent, albeit dangerous role. (If you’re feeling smug because you already disabled root user in your settings, sorry: This bug bypasses that.)

Advertisement

On Tuesday evening, Slate’s IT team was able to use this bug to access a computer running the operating system, both through the login screen and in the Users & Groups setting.

The consequences here could be serious. Anyone could log into your computer, even remotely, with "root", then proceed to change your password, log in to your user account, unlock your keychain and reveal your passwords. They can also turn off FileVault, OS X’s disk encryption program. Or, they can create their own user, delete all your information, and claim your computer as their own.

If you have a computer running macOS High Sierra, you need to address this immediately by assigning a password to “root” so that unauthorized parties who might attempt to exploit the flaw won’t be able to login in without it. To do this, simply open the “Directory Utility” app and click the “Edit” dropdown menu in the toolbar. You can then click on the “Change Root Password” entry to enter a new password.

Here’s a how-to video from 9to5Mac:

Apple says it is working on a fix:

Future Tense is a partnership of SlateNew America, and Arizona State University.