Major Security Flaw Lets Anyone “Hack Mac OS High Sierra Just By Typing Root”!

If you own a Mac computer running the latest version of High Sierra — 10.13.1 (17B48) then do not leave your PC unattended because security researchers disclosed a bug that lets anyone with physical access to a Mac gain system administrator access even without entering a password.

Anyone can gain the highest level of access to your Mac just by typing “root” in the username field, leaving the password blank and clicking “unlock” a couple of times. That’s it you will immediately gain full access to the computer without even requiring hacking skills.

Root-bug-tweet

This silly yet major vulnerability was first noticed by a developer named developer Lemi Orhan Ergin and then he publicly addressed it on Twitter.

Here’s How To Perform This Hack:

  • Open System Preferences on your Mac with High Sierra operating system.
  • Select Users & Groups.
  • Click the lock button.
  • Enter “root” in the username field of the login window.
  • Leave the Password field blank and hit enter button few times.

macos-high-sierra-password-bug

These steps lets will make you a superuser with read and write privileges to more areas of the system, including files in other macOS user accounts. You can alter passwords, email id’s linked to the account and much more to create a havoc on the computer.

This flaw can be exploited in several ways such as when the full-disk encryption is disabled or disabling the FileVault. But it’s not possible to exploit this vulnerability when a Mac computer is turned on, and the screen is protected with a password.

However, Ergin contacted Apple Support to address the issue and Apple responded that it is reportedly working on a fix.

“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”

Temporary Fix To MacOS High Sierra Bug

Until Apple releases a fix for this bug, you can protect your Mac by ensuring to set a root password. To do that:

  • Go to  System Preferences and then select Users & Groups.
  • Click the lock icon and then enter administrator name and password.
  • Click on Login Options and select Join at the bottom of the screen.
  • Select Open Directory Utility
  • Click the lock icon in the Directory Utility window, then enter an administrator name and password.
  • Click Edit at the top of the menu bar
  • Select Enable Root User if you haven’t already and then choose Change Root Password.

You can also disable the guest accounts on your Mac for additional security. To do this go to System Preferences  > Users & Groups > select Guest User > disable “Allow guests to log in to this computer.”

Update:

On Wednesday, Apple said it has issued a software update for the vulnerability in High Sierra version of its MacOS. The update was made available at 8 a.m. PT Wednesday and the computers would automatically start installing the update later in the day.

“When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole,” Apple said in a statement.

Leave a Reply