Horrifying macOS Bug Lets Anyone Become Admin With No Password

Mandy Carr
Ноября 29, 2017

The MacOS High Sierra "root" login bug in action. After you click the lock icon, enter your admin name and password.

The reason this shouldn't work is that the root user isn't supposed to be enabled. Then from the menu bar at the top of the screen, click on the "Edit" menu and choose "Enable Root User". Select Open Directory Utility click the lock icon in the Directory Utility window then enter your admin name and password again.

The issue, discovered in the MacOS High Sierra operating system for laptops and desktops that was released in September, allows people to enter the word "root" when prompted for a username, and provide no password when logging on to the device. They can change any users' password, allowing them to log in and access things like email and browser passwords. Try this 1-3 times and voila-It will accept and boom, full system access.

Note that disabling the root user does not fix this, as you'll still be able to bypass it. I've confirmed that if you have Screen Sharing (or Remote Management) enabled in System Preferences Sharing, someone can connect to your Mac over the local network or, depending on your Internet setup, the outside world. Apple has a well-publicized bug reporting program in place, but it appears Apple either didn't know about the security flaw or was unable to fix it before Ergin tweeted it out publicly - which unfortunately makes Apple users even more vulnerable to attackers with bad intentions.

Читайте также: Britain maps out industrial strategy as it prepares to leave EU

"We are working on a software update to address this issue", explained Apple when reached for comment. This will prompt for a password for the Root user account.

In the login field, type "root" as the username.

So far as we can tell, you need access to a now logged in account in order to trigger it.

При любом использовании материалов сайта и дочерних проектов, гиперссылка на обязательна.
«» 2007 - 2017 Copyright.
Автоматизированное извлечение информации сайта запрещено.

Код для вставки в блог

Other reports by

Discuss This Article