Skip to main content

Apple flaw allows MacOS High Sierra logins without passwords

The latest version of Apple’s software has a glaring hole in it: You can log in with just the username "root."

It turns out you don't need a password to log in to a locked Apple device using MacOS High Sierra -- just the username "root."


By heading to your device's System Preferences, under Users & Groups, you can click on the lock and get hit with a prompt asking for a username and password to change settings. Then, instead of entering a password, you can type in "root" for the username and leave the password field empty.

Demonstration


After clicking unlock several times, it should eventually open up, no passwords necessary. Lemi Orhan Ergin, the founder of Software Craftsmanship Turkey, discovered the security flaw and tweeted it out to Apple Support on Tuesday.



"We are working on a software update to address this issue," an Apple spokesperson said. "In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section."

The simple exploit means anybody with physical access to your MacOS High Sierra device can log in on your computer, no matter how secure your passwords are.

Amit Serper, a security researcher from Cybereason, demonstrated that the bug works even on the login screen after restarting the computer:

The bug works for every aspect of the OS that would normally require a password, which means someone could also get access to your Keychain, containing all your passwords.

MacOS High Sierra was also plagued with a password issue when it launched, after a former NSA hacker showed that he could extract sensitive data from Keychain using an app downloaded online.

There's a workaround for the "root" flaw until Apple fixes it. You can turn guest users off, or change the root password from your directory utility, as 9to5Mac suggested.

How to secure your device?

Apple has already rolled out an update for it. But for the time being, if you haven't got the update you can do this simple trick to fix it. Create a username "root" and set a password to it.

Source: CNET

Comments

Popular posts from this blog

Best Gaming Laptops You Can Buy Right Now

Gaming Laptops are no joke. They pack some serious performance under the hood that even some mid-range desktops cannot match. They’re often considered as huge, heavy and fat machines with red and blue paint all over their chassis, but that’s not the case at present. Over the past few years, manufacturers have introduced laptops packing more and more power in a thinner and lighter chassis. If you take a look at a gaming laptop from ten years ago and compare to anything from the present, I can guarantee that your jaw will drop and you’ll start wondering how technology has improved over the decade. Here are the top 10 performance grade laptops to make your selection from. 1. ASUS ROG G701VI Gaming Laptop  Unlocked Intel i7-7820HK processor 64GB of DDR4 RAM (yes, you read that right!) 1 TB NVMe SSD Overclockable GTX 1080 desktop class graphics card 17.3-inch 120Hz Full HD IPS panel with NVIDIA G-Sync 2. Alienware 17 R4 Intel i7-7820HK processor (overclocked up to 4.4 GHz) 32GB of DDR4 ...

Now you can whisper to Alexa

Amazon’s Alexa can now listen and respond to whispers, and she will whisper back. Now first, this might set off another wave of anxiety for privacy advocates. Your virtual assistant is not only spying on you and potentially recording or storing your conversations, now she can do even if you tried to keep your voice down. Amazon’s team just made that sensitive microphone function even more acutely. Video demonstrating Alexa whisper: So, why do we need to whisper in the first place? Will it come handy in anyway? Yes. If you whisper, “Echo, play a lullaby,” for the infant who’s almost asleep in your arms, Echo will whisper back, “Here’s a station for lullabies from your Amazon Music library,” instead of screaming at  full startling volume. What's more? Whisper is not the only important feature that will come to Amazon Echo devices this year, we also have bunch of new ones. Guard : Guard will let you say, “Alexa, I’m leaving,” and the device will automatically acti...

How to verify your downloaded files using MD5 Checksum on Windows?

MD5 stands for Message Digest version 5 . The MD5 algorithm takes a file (the “message”) of any size, and reduces it down to a code that looks like this: “ac30ce5b07b0018d65203fbc680968f5″ (the “digest”). The brilliant thing about the MD5 algorithm is that if the message changes by so much as a single byte, it will produce a completely different digest. An MD5 sum is a string of letters and numbers that acts like a fingerprint for a file. If two files have the same MD5 sum, the files are exactly alike - which is why MD5 "fingerprints" can verify whether or not your downloaded file got corrupted in transit, hence it is used to verify the integrity of files, as virtually any change to a file will cause its MD5 hash to change. MD5 digests have been widely used in the software world to provide some assurance that a transferred file has arrived intact. For example, file servers often provide a pre-computed MD5 (known as md5sum) checksum for the files, so that a user can compare th...