There's a bug in Apple's most recent operating system

Phillip Butler
November 29, 2017

We can confirm the bug is present in macOS 10.13.1 and for anyone with a Mac in a public office space, you are urged to fix this by yourself, immediately. We tested this bug on our Macbook Pro and yep-we were able to gain access to our machine after clicking "Unlock" after a couple of tries.

Security issues with your products are never a good thing and when you have a user publically Tweet about one, it makes you move. The Apple Support Twitter account acknowledged Ergin's tweet highlighting the issue but did not provide any additional comment.

That's not all. If your Mac displays the name and password fields on the login window, instead of a list of users, you can also log into the entire Mac as root, without a password. Just click the "Update" button next to the macOS High Sierra 10.13.2 beta listing and restart your Mac.

Apple has said it's working on a fix, so setting a root password should be sufficient protection for now.

Enlarge ImageA demonstration of the security flaw.                  CNET
Enlarge ImageA demonstration of the security flaw. CNET

If a bad actor exploited this security bug, they'd get System Administrator access - meaning that person could read and write over virtually any part of the computer system, including files in other macOS user accounts. Click "Login Options", then click "Join", which appears next to the text "Network Account Server".

Disabling the root account in the open directory utility tool does not work, as the root account becomes re-enabled when entered into the user name field on login. Then from the menu bar at the top of the screen, click on the "Edit" menu and choose "Enable Root User".

"A password prompt that authenticates as root with an empty password would be a black eye for any OS".

Click the lock button, then enter your username and password when prompted. Users can prevent an attacker from exploiting a bug by creating a "root" account themselves and giving it a custom password.

Other reports by Ligue1talk

Discuss This Article