A serious security flaw found in the latest version of Apple’s macOS High Sierra could allow anyone to access locked settings on a Mac using the user name “root” and no password, and subsequently unlock the computer.
The security flaw, discovered a couple of weeks ago and disclosed in an Apple developer support forum, has been shown to work within the software’s user preferences screen, among other locations.
Once triggered, the same combination will also bypass the lock screen of Macs running Apple’s latest operating system.
Turkish software developer, Lemi Orhan Ergin, publicised the flaw on Twitter, calling the bug a “huge security issue”:
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
Apple said it was “working on a software update to address this issue” and advised users to set a root password to prevent unauthorised access to Mac computers.
The bug does not appear to affect previous versions of macOS, including Sierra, El Capitan or older. It can reportedly be exploited on an unlocked Mac, bypassing security settings and allowing things such as File Vault encryption and the firewall to be turned off. It can also be exploited at the login screen of a locked Mac – even after a reboot – if the bug has been used before, and in some cases remotely if a user has screen sharing enabled.
The security flaw was originally detailed as a solution to a user login problem on Apple’s developer support forum. A developer called Chethan Kamath, writing under the username chethan177, wrote on 13 November:
“On startup, click on “Other”. Enter username: root and leave the password empty. Press enter. (Try twice). If you’re able to log in (hurray, you’re the admin now).”
The solution was then followed by exclaims of surprise that Apple’s software permitted such an action. CoyoteDen said:
“Oh my god that should not work, but it does. This is really REALLY bad. Some bug in authentication is ENABLING root with no password the first time it fails!”
Security experts warned that the security hole was both embarrassing for the company and dangerous, allowing anyone with physical access – and in some instances remote access – to a Mac computer to gain full access to user data.
Edward Snowden commented on the bug saying:
“Imagine a locked door, but if you just keep trying the handle, it says “oh well” and lets you in without a key.”
Experts also warn against trying out the bug for yourself, as once enabled the flaw can then be more easily exploited even on a locked Mac.