Apple will fix the “huge” security flaw in MacOS High Sier with upcoming software
MacOS High Sierra OS allows anyone to access the root / admin account just by typing “root” as the admin username and leaving the password field blank. Apple is reportedly working on a software update to fix bugs and suggest users set one
A major security flaw has been discovered in Apple’s MacOS High Sierra operating system, which allows anyone to access Mac’s root / admin account. MacRumors reported this bug through a developer named Lemi Ergin, who can log in to the admin account by entering the root as the username and leaving the password field blank. Apple has acknowledged the error and said it is working on a software update to resolve the issue.
The root / admin account gives the user enhanced privileges, along with read and writing facilities with full access to system files. According to reports, the error allows administrator access to an unlocked Mac and can also be used on the locked Mac’s login screen. Users can try this by using their normal or even a guest account by navigating to system preferences in users and groups and clicking on the lock icon. A prompt will appear asking for the username and password where the user has to type ‘root’ as the username and click on the password bar, but leave it blank. Clicking on unlock will allow you to use admin account.
You can access it via System Preferences> Users and Groups> Click Lock to make changes. Then use “root” without any password. And try it several times. The results are incredible! pic.twitter.com/m11qrEvECs
– Lemi Orhan Ergin (Lemiurhan) November 28, 2017
According to Apple’s instructions, a user should set a password for the root account without leaving it blank so that no one else can access it. Apple said in a statement to MacRumors, “Setting a root password prevents unauthorized access to your Mac. To enable root users and set a password, please follow the instructions here: https://support.apple.com/ en-us / HT204012. If a root user is already active, please follow the instructions in the ‘Change root password’ section to ensure that an empty password is not set. ” The bug is said to be present in the current version of MacOS High Sierra and its beta. The test is currently underway.
To set a root password, users need to follow the same procedure as before to access an admin account, and then click on the login option. After that, users need to click on the Join (or Edit) option next to the Network Account Server and click on the lock icon under Open Directory Utility. A prompt will ask for the user’s administrator name and password, after which one must select the Enable root user by clicking the ‘Edit’ tab in the menu bar and enter a new password for the admin account. Apple says this method will prevent the root account from being accessed using a blank password until they release a patch. Since bugs can be exploited using guest accounts, MacOS High Sierra users are also advised to disable them.