Skip to main content

Apple flaw allows MacOS High Sierra logins without passwords

The latest version of Apple’s software has a glaring hole in it: You can log in with just the username "root."

It turns out you don't need a password to log in to a locked Apple device using MacOS High Sierra -- just the username "root."


By heading to your device's System Preferences, under Users & Groups, you can click on the lock and get hit with a prompt asking for a username and password to change settings. Then, instead of entering a password, you can type in "root" for the username and leave the password field empty.

Demonstration


After clicking unlock several times, it should eventually open up, no passwords necessary. Lemi Orhan Ergin, the founder of Software Craftsmanship Turkey, discovered the security flaw and tweeted it out to Apple Support on Tuesday.



"We are working on a software update to address this issue," an Apple spokesperson said. "In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section."

The simple exploit means anybody with physical access to your MacOS High Sierra device can log in on your computer, no matter how secure your passwords are.

Amit Serper, a security researcher from Cybereason, demonstrated that the bug works even on the login screen after restarting the computer:

The bug works for every aspect of the OS that would normally require a password, which means someone could also get access to your Keychain, containing all your passwords.

MacOS High Sierra was also plagued with a password issue when it launched, after a former NSA hacker showed that he could extract sensitive data from Keychain using an app downloaded online.

There's a workaround for the "root" flaw until Apple fixes it. You can turn guest users off, or change the root password from your directory utility, as 9to5Mac suggested.

How to secure your device?

Apple has already rolled out an update for it. But for the time being, if you haven't got the update you can do this simple trick to fix it. Create a username "root" and set a password to it.

Source: CNET

Comments

Popular posts from this blog

Now you can whisper to Alexa

Amazon’s Alexa can now listen and respond to whispers, and she will whisper back. Now first, this might set off another wave of anxiety for privacy advocates. Your virtual assistant is not only spying on you and potentially recording or storing your conversations, now she can do even if you tried to keep your voice down. Amazon’s team just made that sensitive microphone function even more acutely. Video demonstrating Alexa whisper: So, why do we need to whisper in the first place? Will it come handy in anyway? Yes. If you whisper, “Echo, play a lullaby,” for the infant who’s almost asleep in your arms, Echo will whisper back, “Here’s a station for lullabies from your Amazon Music library,” instead of screaming at  full startling volume. What's more? Whisper is not the only important feature that will come to Amazon Echo devices this year, we also have bunch of new ones. Guard : Guard will let you say, “Alexa, I’m leaving,” and the device will automatically acti...

How to Switch to Material Design refresh UI in Chrome?

Google has been working on a Material Design refresh for Chrome across desktop and mobile in recent months, and elements of the redesign are starting to make their way to the stable version of the browser. Chrome 68, released recently, now includes parts of the Material Design refresh hidden behind settings flags in both the iOS and desktop versions. Chrome 68 for Android does not yet include the Material Design refresh changes. By default it is not enabled even if you're on the latest version. Here's how to turn it on: Navigate to chrome://flags/#top-chrome-md In “ UI Layout for the browser’s top chrome ” change the option from default to refresh Restart Chrome to see the changes

Best Gaming Laptops You Can Buy Right Now

Gaming Laptops are no joke. They pack some serious performance under the hood that even some mid-range desktops cannot match. They’re often considered as huge, heavy and fat machines with red and blue paint all over their chassis, but that’s not the case at present. Over the past few years, manufacturers have introduced laptops packing more and more power in a thinner and lighter chassis. If you take a look at a gaming laptop from ten years ago and compare to anything from the present, I can guarantee that your jaw will drop and you’ll start wondering how technology has improved over the decade. Here are the top 10 performance grade laptops to make your selection from. 1. ASUS ROG G701VI Gaming Laptop  Unlocked Intel i7-7820HK processor 64GB of DDR4 RAM (yes, you read that right!) 1 TB NVMe SSD Overclockable GTX 1080 desktop class graphics card 17.3-inch 120Hz Full HD IPS panel with NVIDIA G-Sync 2. Alienware 17 R4 Intel i7-7820HK processor (overclocked up to 4.4 GHz) 32GB of DDR4 ...