User Tweets significant security issue with macOS High Sierra to Apple Support

  • User Tweets significant security issue with macOS High Sierra to Apple Support

User Tweets significant security issue with macOS High Sierra to Apple Support

Indeed, we tested this out on a Mac running 10.13.2 High Sierra - although it should work on the current 10.13.1 build - and it works quite easily.

"A password prompt that authenticates as root with an empty password would be a black eye for any OS".

Without explaining what the actual bug is (we don't want to make it any easier for potential hackers than this already is, and you can find it on Twitter pretty easily), someone can login to a Mac by typing a word in the login field, leaving the password field blank, and attempting to log in several times.

El Reg was able to replay the bug on our office Macs running High Sierra, which was released in September. Many other macOS users independently confirmed the issue. That said, this isn't good for macOS users and it looks bad for Apple. However, there is a workaround that will provide users with some additional security to prevent against unauthorized logins: users can enable a root account that requires a password to gain access. Click "Login Options", then click "Join", which appears next to the text "Network Account Server".

The attacker needs only to head to Users & Groups, click the lock at bottom-left, then try to log in as "root" with no password.

Enter "root" again with no password.

Apple did not immediately return a request for comment, but Apple's Twitter support account did reply to Ergin asking for more details.

Click "Open Directory Utility" and a new window will open.

Let us know how it goes for you, and stay tuned for Apple's macOS update soon...

Once a password has been set for the "root" account, the flaw that allows a person to login as "root" with no password will no longer work.