Published: Wed, November 29, 2017
Sci-tech | By Javier West

There's a major security flaw in macOS that gives anyone admin access

There's a major security flaw in macOS that gives anyone admin access

Using the same trick, you can add new users (even as admins) to a device, remove other users, reset their passwords, decrypt disks encrypted by FileVault, or change nearly every other setting that requires admin access.

Discovered by software engineer Lemi Orhan Ergin, the bug allows anyone who has access to your computer to gain full, administrative access in just seconds. Root access to a system is the holy grail of control over a device; leaving the root account enabled and with no password is like setting the nuclear launch code as "1234".

The workaround right now according to the Twitterverse, is to set a root user password.

When trying to login to a macOS device running High Sierra, you will simply need to use the username "root", leave the password field empty, and then hit the login button a couple of times to get access to the device.

The vulnerability allows any person to access the administrator's account on an already unlocked Mac.

We can confirm the bug is present in macOS 10.13.1 and for anyone with a Mac in a public office space, you are urged to fix this by yourself, immediately. Those running previous versions of MacOS including Sierra and Yosemite do not appear to be affected by the bug. We'll update this post if we hear back.

Some users are reporting that you can change your root password to fix the issue, but Apple has not issued official guidance yet. Click the lock to make changes and enter the administrator name and password.

Like this: