Enlarge (credit: Patrick Wardle)
In one of Apple’s biggest security blunders in years, a bug in macOS High Sierra allows untrusted users to gain unfettered administrative control without any password.
The bypass works by putting the word “root” (without the quotes) in the user name field of a login window, moving the cursor into the password field, and then hitting enter button with the password field empty. With that—after a few tries in some cases—the latest version of Apple’s operating system logs the user in with root privileges. Ars reporters were able to replicate the behavior multiple times on at three Macs. The flaw isn’t present in Yosemite, the previous macOS version.
The password bypass can be exploited in a variety of ways, depending on the way the targeted Mac has been set up. When full-disk encryption is turned off, an untrusted user can turn on a Mac that’s fully powered down and log in as root. It was also not possible to exploit the vulnerability when a Mac was turned on and the screen was password protected. Even on Macs that have filevault turned on, the bypass can also be used to make unauthorized changes to the Mac System Preferences or to log in as root after logging out of an existing account but not turning off the machine. The behavior observed in Ars tests and reported on social media was extremely inconsistent, so results are likely to vary widely.
Read 8 remaining paragraphs | Comments

Leave a Reply