Published: Wed, November 29, 2017
Research | By Francis Brooks

Apple flaw allows MacOS High Sierra logins without passwords

Apple flaw allows MacOS High Sierra logins without passwords

MacOS users may want to mitigate the issue themselves by assigning a root password or disabling the root account in System Preferences - User Groups on your Mac device.

Still, flaws like this really undermine the level of security you get from Apple's premium devices, even though such issues are rarely discovered. Anyone can login to the default root account using the username "root" and no password, giving them access to a superuser with access to all areas of your system - including read and write privileges on other user accounts. After plugging in "root" as our username and no password, it took two clicks to gain access to Users & Groups settings on a High Sierra system. Click on the lock in the lower left of the menu to make changes. That said, this isn't good for macOS users and it looks bad for Apple.

Indeed, we tested this out on a Mac running 10.13.2 High Sierra - although it should work on the current 10.13.1 build - and it works quite easily.

School lockdown stopped gunman from entering classrooms, killing more
The alleged assailant was killed by "law enforcement bullets" after opening fire, Assistant Sheriff Phil Johnston told reporters . Federal Bureau of Investigation agents are seen behind yellow crime scene tape outside Rancho Tehama Elementary School.

Jeff Bezos' net worth breaks $100 billion on Black Friday
This year alone, Bezos' fortune has increased by $32.6 billion - more than anyone else on the Bloomberg Billionaire Index . However, on October 27, 2017, Bezos again surpassed Gates on the Forbes list as the richest person in the world.

Pakistan's Mohammad Hafeez banned again for illegal action
Hafeez then took to Twitter to plead his innocence, and soon, Pakistan fans started questioning ICC's verdict. He was reported in November 2014 for the first time.

IBT reached out to Apple for comment regarding the discovery of the security vulnerability but did not receive a response at the time of publication. Changing the root password is the workaround for now.

According to reports (meaning we haven't tested this), this isn't an issue on older versions of the OS.

Enter "root" again with no password. (The company maintains an invite-only bug bounty program.) Despite its incredibly alarming simplicity, The Verge is not reproducing the steps to bypass High Sierra's login screen here.

Like this: