Surprise, surprise! Security by obscurity fails Apple's MacOS
1 min. read
Published on
Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more
When you live in the countryside you can often leave your door unlocked day and night. You may feel safe, but you are not really secure.
It seems Apple has been operating under the same principle and today some-one managed to travel to their idyll and test the doors.
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
Turkish developer Lemi Orhan Ergin has discovered MacOS High Sierra appears to ship without a root password, and logging in with the username root and no password will give you full admin access, to do whatever you want, including changing passwords for other accounts or just about anything else.
Ergin reports it may take clicking the OK button more than once, but the “feature” has worked reliably for many people already.
Apple is yet to comment, but I suspect a quick trip to the locksmith is in order. MacOS users may want to mitigate the issue themselves by assigning a root password in System Preferences –> User Groups on your Mac device.
1) Open Directory Utility
2) Click the lock symbol to make changes, log in as admin
2) Click Edit -> Enable Root User
3) Click Edit -> Change Root Password…
4) Set a password
Via BGR
User forum
0 messages