Skip to content

November 29, 2017

macOS High Sierra bug allows full admin access without a password

by John_A

If you’re using Apple’s latest macOS High Sierra, you’ll want to be wary of giving people access to your computer. Initially tweeted by developer Lemi Orhan Ergin, there’s a super-easy exploit that can give anyone gain admin (or root) rights to your Mac. Engadget has confirmed that you can gain root access in the login screen, the System Preferences Users & Groups tab and File Vault with this method. All you need to do is enter “root” into the username field, leave the password blank, and hit Enter a few times. Needless to say, this is some scary stuff.

Root access allows someone to access your machine as a “superuser” with read and write privileges to many ore system files, including those in other macOS accounts. Luckily, the fix is fairly easy. As developer Colourmeamused tweeted, you need to set a root password:

Everyone with a Mac needs to set a root password NOW.
As a user with admin access, type the following command from the Terminal.

sudo passwd -u root

Enter your password then a new password for the root user.
Anyone got a better fix?@SwiftOnSecurity @rotophonic @pwnallthethings

— colourmeamused (@colourmeamused_) November 28, 2017

Engadget has confirmed that this will secure your macOS High Sierra machine, and keep people from gaining root access as above. We’ve reached out to Apple and will update this post when we hear back.

Via: The Register

Source: Lemi Orhan Ergin (Twitter), Colourmeamused (Twitter)

Advertisements
Read more from News

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

%d bloggers like this: