Apple’s Latest OS High Sierra Plagued With Critical Security Vulnerability Allowing Anyone To Login Into Mac Without A Password.
Lemi Ergin, a Turkey-based software developer has discovered a critical security bug in Apple’s recently released operating system macOS High Sierra. The flaw was revealed to the public via Twitter.
According to his tweet, this flaw is highly dangerous because through exploiting it, anyone using Mac device can get admin rights by simply clicking on another button on the login screen and entering “root” in the username tab. It is worth noting that no password is required to gain admin access to a Mac device if username ‘root’ is entered and Enter key is clicked a few times instead of entering the password.
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
Moreover, if the same username is used in System Preferences, then it will be possible to get admin access and change settings on a locked Mac device. This means, if a Mac device is left unattended then it would allow anyone to become system administrator without needing any verification. Even if the device is remotely accessed, it would give away admin rights and thus, an attacker can obtain sensitive information stored on the device.
Ergin further revealed that the bug is identified in macOS High Sierra version 10.13.1 and the macOS 10.13.2 beta. Older versions of this operating system such as Sierra and El Capitan are spared of this bug.
Apple has admitted that the bug is indeed present in its latest OS and has issued a statement that the company is already working on releasing a security update for the OS as soon as possible. In the meantime, users can enable password protection for root username to fix the issue temporarily. Apple’s rep stated: “Setting a root password prevents unauthorized access to your Mac.”
This flaw was reported about two weeks back at Apple support forums, but the company regarded as a workaround to fix issues with the computer and denied that it was a security threat. On the other hand, security experts have criticised Ergin for not following the Responsible Disclosure guidelines while dealing with critical security vulnerabilities as he chose to reveal it to the public via Twitter.
This is the second time in last two months that Apple is in news for all the wrong reasons. In October, a critical bug was discovered in Mac devices that displayed device password rather than a hint in plain-text format.