Skip to comments.Huge security flaw lets anyone log into a High Sierra Mac
Posted on 11/28/2017 2:59:34 PM PST by grey_whiskers
Update: Apple has acknowledged the issue and is working on it. Statement and workaround below.
Wow, this is a bad one. On Macs running the latest version of High Sierra 10.13.1 (17B48) it appears that anyone can log in just by putting root in the user name field. This is a huge, huge problem. Apple will fix it probably within hours, but holy moly. Do not leave your Mac unattended until this is resolved.
The bug is most easily accessed by going to Preferences and then entering one of the panels that has a lock in the lower left-hand corner. Normally youd click that to enter your user name and password, which are required to change important settings like those in Security & Privacy.
(Excerpt) Read more at techcrunch.com ...
Who needs Chinese hackers?
Awesome - I just downloaded this update last week, but didn’t have enough time to remove some stuff I was working on, so I didn’t have room to install it. Now I have a good reason to wait.
But the Apple fan bois on FR told us that Apple is perfect.
I’ve had this update for awhile now.
I remember there was another update to it immediately following the original and I suspect that second one fixed this.
I just tried it on my machine. Went to preferences, security and tried unlocking the padlock with “root”. It would not let it enter. Using my username and password would.
Wow... Good thing this wasn’t Microsoft that did it or that would be bad news. Apple fanboys will just consider it a nice feature and thank apple for the easy root.
On a serious note how the hell does this happen? Buffer overruns I understand but just typing root gives you root??? This is serious bad coding, quality review, security design, and leadership.
Yep this is only possible in windows. Plus since no one reported actually exploiting this issue that means it doesn’t count.
I haven’t kept track. Has Apple abolished root and required all users with root privileges to sudo? That’s what they did in Ubuntu, although by sudo’ing to the shell executable you could still get a rootshell.
I’m running 10.13.1 and this bug doesn’t seem to affect me. Perhaps it only affects certain models? In any event Apple should sort it out soon. Agree this is something that never should have gotten out the door.
I tried out this vulnerability on my iMac. Did not exist here. The root account was disabled, as it should be.
What happens if you type in poop?
This has to be fake news. I am sure someone will be along shortly to wave their hands and tell you it is all just an illusion of old and out of date info.
/sarc for them who needz it
The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.
If you want on or off the Mac Ping List, Freepmail me
This is a stupid oversight. What it essentially is, is that it has always been an ability of an Administrator User to create a ROOT USER but it should not allow that event to occur without also requiring the input of a password before enabling the Root capabilities.
Creation of normal users can occur without passwords, but this one should NOT ever be allowed without a password and in the past it has been required for this. Apparently, someone was working on this and disabled to forced PW and it did not get re-enabled in the release. The good news is that it requires an Administrator level user to create a Root user, and also physical access to the computer.
It’s an easy fix, and Apple will be pushing out an update that will address it very quickly by returning the password requirement.
Someone will be fired.
No, we have never said that. That was the anti-Apple people putting that claim in our mouths. We've just said that it was more secure which is still true. This is a minor kerfuffle that is only a risk if one doing it is an administrator and has physical access and it will be closed with a minor update to fix something that was overlooked in this update by someone who was working on this section.
No, but Apple requires the creation of a ROOT level above Admin. . . which is what this is about. Normally it requires that the Admin user creates a ROOT password with the activation of the ROOT ability. Someone forgot to turn that requirement back on.
In addition, there is now a new level ABOVE ROOT in Apple Macs that requires an additional factory set password to make specific system changes that even ROOT USERS cannot alter without invoking that special password. This is to prevent even a ROOT user from doing system damage or an outsider using a ROOT access from hiding a ROOT KIT.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.