The bug allows anyone with access to a Mac running the latest OSX High Sierra to gain full administrator access to the computer using the username “root” and no password.
Computer security expert Graham Cluley said in a blog post about the flaw: “This is pretty bad of Apple.Once someone has root on your Mac, they have God-like powers over the entire system”. “Some bug in authentication is ENABLING root with no password the first time it fails!” Following this, they just have to click the lock, enter the word “root” in the username field, select the password field (keep it empty) and tap the “Unlock” button.
Without a need for a password, this potential defect would encourage hackers and malicious users to take over Mac devices and render their owners helpless. Admittedly, someone would have to get physical access to your Mac in order to implement this bypass technique, but that would also cover stolen Macs in any circumstance.
We tested this procedure on both an old MacBook Pro and the latest MacBook Air, each running High Sierra. Update your Mac: don’t ignore those prompts.
Apple has released instructions prompting users how to login with root and add a password to the username. The hacker could then return at any time and log in as the admin.
Apple has advised its customers who may be affected to set a password for the device’s root user, which should stop people exploiting the vulnerability. Head to System Preferences, then click Users & Groups and click on the padlock. Click it, then enter in the name and password for your administrator account. The Cupertino giant also provided a step-by-step procedure to set a root password to prevent unauthorised access to the Mac. After this, click “Open Directory Utility” and enter an admin name and password. Until then, the firm has offered up a temporary workaround that requires setting up a root password. In the meantime, impacted users with admin access should type the following command from the terminal: ‘$ sudo passwd root’.
The fix is a fairly simple one.