Tuesday, 22 January 2019
Latest news
Main » MacOS High Sierra bug allows full admin access without a password

MacOS High Sierra bug allows full admin access without a password

29 November 2017

A massive security hole affecting Mac computers running the latest version of MacOS High Sierra has been discovered.

Without explaining what the actual bug is (we don't want to make it any easier for potential hackers than this already is, and you can find it on Twitter pretty easily), someone can login to a Mac by typing a word in the login field, leaving the password field blank, and attempting to log in several times.

So far as we can tell, you need access to a now logged in account in order to trigger it.

iTnews was able to replicate the flaw and access a Mac without a password as the root superuser from the main log in screen.

Apple did not immediately return a request for comment, but Apple's Twitter support account did reply to Ergin asking for more details. But given the cartoonish extremity of this bug, chances are a fix will be available soon.

A user reported the issue earlier today, but initially it wasn't specified which version of Mac OS High Sierra was affected, what machines, or anything other than what the problem was.

Apple spokesman Bill Evans said the company is "working on a software update to address this issue".

As of now, it's unclear how something like this could have slipped past Apple and Apple tends to keep errors like this under wraps and doesn't disclose much about them. This gives the attacker access to all administrator preferences in System Preferences...but that's only the beginning: this also enables a new, system-wide root user with no password. You can do this from the user login screen.

It is possible to mitigate against the flaw, however, by adding a password for the root user in the users and groups preferences pane.

Once in the "Join" menu, click on "Open Directory Utility". We are now updating our machines and will report back.

Despite suggestions that the flaw can be mitigated by disabling the computer's guest account, this will not work - it simply restarts the computer with Safari the only application running.

MacOS High Sierra bug allows full admin access without a password