apple macos computer

Screengrab via Marques Brownlee

Dangerous flaw in macOS High Sierra leaves your Mac vulnerable: Here’s how to fix it (updated)

Mac users need to create a root password, asap.

 

Phillip Tracy

Tech

Published Nov 28, 2017   Updated May 22, 2021, 9:42 am CDT

A critical security flaw in Apple’s latest version of macOS grants intruders access to your computer’s settings and data without needing a password.

Publicly posted to Twitter by Turkish software developer Lemi Orhan Ergin, the dangerous vulnerability lets anyone using a Mac running macOS 10.13 High Sierra get authenticated into a “System Administrator” account, giving them access to all sorts of private files. It even gives them the ability to reset and change passwords.

What makes this flaw different—and much more alarming than anything we’ve seen in recent years—is that it can be exploited by anyone, not just hackers or software developers. The process is inconceivably simple. All someone needs to do is change “username” to “root,” leave the password blank, and press the “unlock” button multiple times. Eventually, the password protection fails and grants the intruder admin privileges. The computer then creates a new “other” user, which has the credentials to access and alter just about any setting and file on the computer. You can see how to exploit works in the video below.

The Daily Dot confirmed the flaw using a 2016 13-inch MacBook Pro. Multiple publications have successfully exploited the vulnerability using other Apple laptops, including the MacBook Air and MacBook.

It’s not clear if Apple was made aware of the problem before it was publicly disclosed. The user who tweeted it is already facing criticism from those who believe he failed to give a “responsible disclosure,” or when a security researcher agrees to give the affected company time to fix its error before posting about it publicly. Apple has a bug bounty program where it pays researchers for discovering unknown security bugs.

Apple’s support team on Twitter replied to Ergin’s tweet, which now has more than 3,500 retweets: “Let’s take a closer look at what’s happening together. Send us a DM that includes your Mac model along with your macOS version. We’ll meet up with you there.”

How to fix the macOS root flaw

It can’t be stressed enough: This is a critical security flaw that all Apple laptop and desktop owners shouldn’t ignore. It lets anyone with physical access to your computer take control of it without any effort. An intruder can also apparently access machines remotely when Remote Manager is enabled through Apple Remote Desktop or screensharing.app, according to some accounts.

To protect your computer, you’ll need to create a root password. To do this, go to System Preferences > Users & Groups > Login Options > Join (next to Network Account Server) > Open Directory Utility > Edit. Then select “Change Root Password…” and choose a strong password, something with many letters and characters that can’t be guessed. We have confirmed this method fixes the vulnerability.

We have reached out to Apple and will update this article when we hear back.

Update 5:43pm CT, Nov 28An Apple spokesperson confirmed the critical flaw in a statement to the Daily Dot and said it was working on a fix. The company also provided a link to instructions for adding a root password:

“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”

Update 12:57pm CT, Nov. 29: Apple released a security update designed to fix the macOS bug on Wednesday, less than 24 hours after it was publicly disclosed.

The fix can be found in the Mac App Store. Just open the app and select “Updates” from the top toolbar, then press “update” to the right of security update 2007-001.

Share this article
*First Published: Nov 28, 2017, 4:47 pm CST