Jump to content


FYI (News): MacOS High Sierra's 'Root' Bug Makes Hacking it Easy


Recommended Posts

“Mac computers with High Sierra (MacOS 10.13.1 or higher) have a serious bug that can let anyone gain root access to the system without a password.


The hack is easy to pull off. It can be triggered through the Mac's System Preferences application when "Users & Groups" is selected, and the lock icon on the window is clicked. After that, a new login window will appear. Anyone who types "root" as the username, leaves the password field empty, and clicks unlock (once or twice) is on their way to a new account that has system admin privileges to the computer.


With those privileges, the account can be used to modify the rest of the Mac and look up passwords on the keychain access. Even after a reboot, the root account remains.


There are also reports the bug can be triggered at the Mac login screen, but not everyone was able to produce the same findings.†https://www.pcmag.com/news/357614/macos-high-sierra-root-bug-makes-hacking-it-easy


“The issue, discovered in the MacOS High Sierra operating system for laptops and desktops that was released in September, allows people to enter the word "root" when prompted for a username, and provide no password when logging on to the device. The glitch allows anyone to access the file system for a Mac, exposing private documents on that particular computer. One user reported the ability to also access the computer using the root login remotely.†http://www.chicagotribune.com/bluesky/technology/ct-apple-mac-vulnerability-20171128-story.html


“Apple is looking into the bug and will push a software update that fixes it, a representative told Business Insider in an email:


“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.â€


Business Insider was able to replicate the bug on Tuesday. After plugging in "root" as our username and no password, it took two clicks to gain access to Users & Groups settings on a High Sierra system. The bug didn't work on a Mac with older software.†http://www.businessinsider.com/macos-high-sierra-can-be-hacked-with-username-root-and-no-password-2017-11

Edited by Arcadia in CA
  • Like 3
Link to comment
Share on other sites

I know my cousin (a retired M.D.) has Apple stuff and I think one of my other cousins may have it too.

A fix is out


From TechCrunch https://techcrunch.com/2017/11/29/apple-releases-a-macos-security-update-to-fix-huge-login-security-flaw/

“Apple has just released a security update for macOS High Sierra and you should update right now (Apple will automatically push the security patch later today). This update fixes yesterday’s very concerning vulnerability that let anyone log into your Mac without your password.


In order to install the update, open the Mac App Store and click on the “Updates†tab. Interestingly, the release notes say “install this update as soon as possible.†Apple has worked long hours to fix yesterday’s flaw as soon as possible. But it shouldn’t have happened in the first place.


The security flaw affected all Macs running the latest version of High Sierra (at least version 10.13.1 — 17B48).â€

  • Like 2
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...