gamezna.com
gamezna.com January 23, 2018

Main » MacOS High Sierra has an embarrassing bug that gives anyone Admin access

MacOS High Sierra has an embarrassing bug that gives anyone Admin access

29 November 2017

Soon after Ergin's tweet, a flood of security researchers and writers confirmed the bug works as described - whether attempting to access an administrator's account on an unlocked Mac, or trying to gain access via the login screen of a locked Mac. This blocks the bug from creating another root account.

Ben Johnson, the chief technology officer of Obsidian Security and a former U.S. National Security Agency computer scientist, described the flaw to IBT as "a hacker's dream".

The level of unbridled access this security hole permits - and it abruptly being made public - will nearly certainly prompt Apple to move fast in releasing an update for its Mac operating system. Such was the case with Apple and macOS High Sierra.

CNET independently confirmed this security flaw exists and reached out to Apple about the issue. A spokesperson for Apple was not immediately available for comment.

Users can click on the login options button, then select the join network account server option.

Lemi Orhan Ergin on Twitter:
macOS High Sierra security vulnerability discovered, here's how to set root password for fix

Let's make this clear: this is a huge mistake on Apple's part, even if there's a relatively simple fix.

After going through the above steps, the attacker can then log out, and choose the "Other" option that appears on the login screen. They can change any users' password, allowing them to log in and access things like email and browser passwords.

Some users are reporting that you can change your root password to fix the issue, but Apple has not issued official guidance yet.

You can patch this problem right now by creating a root account manually and giving it a secure password.

Click in the Directory Utility window, then enter an administrator name and password. In another lapse, Directory Utility lets you set the root password to blank - just leave both fields empty and click OK.


MacOS High Sierra has an embarrassing bug that gives anyone Admin access