I honestly don't know how some people discover certain flaws in other people's operating systems. But the truth is that the method used to discover vulnerabilities is not the central point of this article, but the failure in question.
Well, the developer Lemi Orhan Ergin found a serious flaw in macOS put his mouth on the trombone:
You can access it via System Preferences> Users & Groups> Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs
– Lemi Orhan Ergin (@lemiorhan) November 28, 2017
Dear @AppleSupport, we noticed a * huge * security issue on macOS High Sierra. Anyone can login as "root" with a blank password after clicking the login button several times. Are you aware of this, @Apple?
You can access it by going to System Preferences Users and Groups and clicking on the lock padlock to make changes. Then use ?root? without a password. And try it many times. The result is unbelievable!
I explain: even without knowing the password of the user macOS is running on, you can, due to the failure, authenticate some sensitive operation of the system or even change important information in the System Preferences Users and Groups.
Worse than that: the vulnerability allows an intentional person to log in to any Mac account. That is, turn on someone's Mac, write root in the user's name, leave the password blank and try to log in until in this case, apparently only on Macs that have the option ?Name and password? checked, as shown in the image below:
We made a video showing how everything works:
I do not doubt that Apple anticipates the release of the final version of macOS High Sierra 10.13.2 because of that
How to protect yourself now!
There is, however, a way for you to protect yourself from this loophole now.
I tried to replicate the root login bug with no password on 3 different machines and failed. Turns out I always set root password on Macs.
– Paul Haddad (@tapbot_paul) November 28, 2017
I tried to reproduce the root login bug without a password on three different machines and it failed. It turns out that I always set a root password on Macs.
As the developer Paul Haddad informed, just have a root user password set to be protected. And making it very simple, as this Apple support article teaches.
How to create a password for the root user:
- Select menu Apple () System Preferences and click on "Users and Groups";
- Click on the lock icon and enter the administrator name and password;
- Click on "Start Options".
- Click "Connect".
- Click on ?Open Directory Utility?.
- Click on the lock icon in the ?Directory Utility? window and enter the administrator name and password (or authenticate via Touch ID).
- From the menu bar in the Directory Utility, select Edit Activate Root User / Change Root Password and enter the password you want to use for the root user.
There, creating a password for the root user will be protected.
· ? ·
In addition, here's the tip from the Brazilian developer Guilherme Rambo:
If you happen to find a security issue on any product, find the security contact of the company and report it directly. Apple's is firstname.lastname@example.org https://t.co/kIFwWgwUrg
– Guilherme Rambo (@_inside) November 28, 2017
If you happen to encounter a security issue with any product, contact the company's security contact and report it directly to them. Apple's email@example.com
For the sake of users, report the problem to the company before sharing it with the world. You can still earn a little money with this. ?
Update 11/28/2017 s 22:36
Here is the statement that Apple has given to some vehicles, including the The Loop:
We are working on a software update to resolve this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the root user and set a password, follow the instructions here: https://support.apple.com/en-us/HT204012. If a root user is already enabled, to ensure that a blank password is not set, follow the instructions in the ?Change root password? section.
That is, exactly what we have indicated above.
Update II, by Rafael Fischmann Nov 29, 2017 at 14:40
The security flaw has already been fixed by Apple.