There’s been a sharp rise in the number of breaches and security flaws in recent years, but the latest affecting Apple’s macOS High Sierra is something else.
While most flaws can only be exploited by hackers or people with a certain level of technical knowledge, a vulnerability found in the Mac software can be taken advantage by anyone – including you.
If you’re running High Sierra 10.13.1, it’s possible for anyone to log in to your account and preferences simply by typing the word “root” in the username field. That’s right, you can get access to an entire drive, personal files, account preferences (including those in security and privacy) and could even install software, including malware, with a simple login.
We have been able to replicate the flaw, although it took three attempts for it to work. Either way, this is huge.
The flaw appears to have been first identified by security researcher Lemi Orhan Ergin, founder of Software Craftsman Turkey, who posted the details on Twitter. In the tweet Ergin wrote: “Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?”
He then followed it up with: “You can access [the flaw] via System Preferences>Users & Groups>Click the lock to make changes. Then use “root” with no password. And try it for several times. Result is unbelievable!”
Apple has responded by saying it is working on a software update to address this problem and has issued a temporary solution (instructions below).
High Sierra Mac flaw: How to protect yourself
While you wait for Apple to push out a software fix, it’s advisable to manually set a root password to prevent unauthorised access to your Mac.
Enable or disable the root user
- Click the Apple menu () in the top left-hand corner, select System Preferences and open Users & Groups (or Accounts).
- Click the lock icon () and enter your administrator name and password
- Select Login Options and click Join (or Edit)
- Open Directory Utility
- Click the lock icon again in the Directory Utility window and enter the administrator name and password again
- From the menu in Directory Utility: Choose Edit, Enable Root User, then enter the password that you want to use for the root user or choose Edit, Disable Root User.
Log in as the root user
After you’ve enabled a root user, only the person logged in as that root user can make root-level changes. To log in as a root user:
- Click the Apple icon and select Log Out
- When prompted to log in, enter the username ”root” and the password you created above
If the login window shows a list of users, click Other and then log in.
Remember to disable the root user after completing your task.
Change the root password
- Open System Preferences from the Apple menu and select Users & Groups (or Accounts).
- Click the lock icon and login.
- Click Login Options and then Join (or Edit).
- Open Directory Utility.
- Click the lock icon in the Directory Utility window and reenter the login details
- From the menu select Edit and then Change Root Password
The full instructions and more about root users can be found on Apple’s official support page.
This video will also guide you through the process:
Not everyone has been able to replicate the flaw, and Ergin has been fiercely criticised for making the flaw public rather than going through a bug bounty program or highlighting the vulnerability through the proper channels to Apple directly.
This isn’t the first bug seen in High Sierra. On the day of launch, malicious code was found on the system that could access and steal keychain data without a password. Another flaw exposed a user’s password as a password hint when trying to unlock an encrypted partition.