As per the latest reports, a major security flaw has been detected in Apple’s High Sierra macOS. The highly secured macOS High Sierra allows a person to log in as an admin without any password and get access to your Mac. The major security flaw has been revealed by Lemi Orhan Ergin, the founder of Software Craftsmanship Turkey. In a tweet, he was quoted saying that their team noticed a huge security issue at MacOS High Sierra and anyone could log in as “root” with empty password after clicking on login button several times. He was trying to make Apple Support aware of the issue through the tweet.
You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
Responding to this major security issue in High Sierra, Apple spokesperson said that their team is working on a software update to address the issue. Apple also suggested Mac users set a root password that would prevent unauthorized access to their Mac. It advised the users to follow instructions provided by them to enable the root user and set a password. “If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section,” the Apple spokesperson said.
The latest glitch makes macOS High Sierra device vulnerable to unauthorized access, as anybody having physical access to the High Sierra Device can unlock the user’s Macbook and log in without any password. It has been found out that if one enters into the user’s device’s System Preferences, under Users & Groups and clicks on the lock, then the device asks for a username and password to change settings. At that time, if the person types the username as “root” and leaves the password field empty and clicks on the Unlock option several times, then he/she can successfully login into the device without the use of any password.
Another big issue is that the security bug allows the outside user get authenticated as “System Administrator” and as a result, the person gets full ability to view files and even reset or change passwords for pre-existing users on that device. This indicates that someone can easily get access to your Keychain containing all your passwords.
Amit Serper, a security researcher from Cybereason, demonstrated that the bug works even on the login screen after rebooting the computer. This major flaw is seen only in macOS High Sierra 10.13.1, the latest update of High Sierra, and not in any Sierra or previous macOS versions, as informed by the Verge.
This is not the first time that someone has detected the security bug related to the macOS High Sierra. Previously also, just after the lunch of High Sierra, a former NSA hacker revealed that he could extract sensitive data from keychain using an application that he downloaded online. So, now it becomes very important that Apple should fix the bug as soon as possible and improve the security of the Mac device in its next High Sierra update.
UPDATE: Apple has rolled-out a mandatory security patch for macOS High Sierra users which will be installed into their Macbooks automatically. Apple has provided the following statement:
“Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8:00 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”