facebook rss twitter

Big security flaw in Apple MacOS High Sierra uncovered

by Mark Tyson on 29 November 2017, 15:01

Tags: Apple (NASDAQ:AAPL)

Quick Link: HEXUS.net/qadoav

Add to My Vault: x

Please log in to view Printer Friendly Layout

A few hours ago a glaring hole in MacOS High Sierra was uncovered by software developer Lemi Orhan Ergin. Respected sources such as ComputerWorld and CNBC have called the MacOS security flaw "unforgivable" and a "huge password glitch", with CNBC quoting Edward Snowden describing the issue as "really bad". However the first target of criticism among the Twitterati was Ergin, for sharing the vulnerability in public, giving Apple no time to react.

The flaw

Ergin, a Turkish software developer and founder of Software Craftsmanship Turkey, told his followers that "Anyone can login as 'root' with empty password after clicking on login button several times." Little further explanation is required such is the simple and worrying nature of this 'hack'. While the first couple of times you attempt this blank password login you will fail, trying it several times will let you in, the "result is unbelievable," exclaimed Ergin.

So people could replicate this login bypass method Ergin went on to explain that you can access the root login dialogue via System Preferences>Users & Groups> and then click the lock to make changes. Almost immediately the root password bypass was confirmed by many MacOS users. Interestingly Twitter user Seth Goggans found a video clip of Apple's Craig Federighi "using the #rootgate exploit" during a recent MacOS demonstration.

Workaround for now

Apple is actively looking at a fix for the security flaw in its OS but meanwhile it has issued an advisory, or workaround. In a communication sent to ComputerWorld, Apple advised the following: "We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section."

In short, setting a genuine root user and making a password for it puts you back in control and plugs up this blank password flaw. You can follow though Apple's workaround instructions, published yesterday but which don't actually mention the flaw, here.

UPDATE:

Apple has quickly released a patch for the above security issue. You can read about and grab the Security Update 2017-001 directly from Apple.



HEXUS Forums :: 17 Comments

Login with Forum Account

Don't have an account? Register today!
Epic epic fail… I've seen a few tech sites commenting on how it seems Apple has QA issues these days…. not the first password bug recently
Looks as if the patch has been released - I've just downloaded it.
Only 3 comments?! Oops, 4!
Eric F;3889997
Only 3 comments?! Oops, 4!

Not much to comment on. Flaw discovered and published, workaround quickly issued, followed just as quickly by a patch to fix it. Job done. It would have been better if it hadn't occurred, but you can say that about any software bug.