A critical security bug in Apple’s macOS High Sierra, 10.13.1, and the macOS 10.13.2 beta allows anyone to log in to an admin account by using a username “root” with no password and thereby access everything stored inside a Mac.
MacOS users can prevent malicious actors from exploiting the security bug by enabling the default root username and protecting it with a password.
The Internet literally exploded today after a security researcher demonstrated how easy it is for anyone to access a Mac computer by exploiting a security bug in macOS, which is considered as among the most secure desktop operating systems.
‘Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?,’ wrote Lemi Orhan Ergin, the researcher who discovered the flaw, on Twitter.
‘You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use “root” with no password. And try it for several times. Result is unbelievable!,’ he added in his next tweet.
To put it simply, if you want to gain ‘admin’ access to a Mac which is not yours, all you need to do is to open System preferences, click on ‘users and groups’, click on the lock sign to view the login screen, enter ‘root’ on the username field, leave the password field blank, and click on ‘Unlock’!
Once you complete these simple steps, you can gain ‘read and write’ access to any Mac and thereby access anything stored inside it.
What’s more, once you activate the admin account, which is disabled by default, by typing in the username ‘root’, you can subsequently use the same username to log in to a Mac at the login screen itself.
Predictably, the revelation literally rocked the Internet, with hundreds of thousands of users confirming the exploit and leaving Apple gasping for breath as it fought to preserve the macOS’ reputation.
‘This is a very surprising bug that evaded the quality control on macOS High Sierra. Apparently, this also works on FileVault in the macOS which makes this bug quite devastating. The good news is that as of right now, there is not any mention of malware that leverages this security flaw,’ says Tyler Moffitt, Senior Threat Research Analyst at Webroot.
The fact that the researcher announced the ‘zero day exploit’ on Twitter instead of privately contacting Apple and give the company time to fix the bug, as is the norm, almost every malicious hacker is now aware of the bug and will try to exploit it to the hilt before Apple comes in with a fix.
‘Failing to follow responsible disclosure guidelines puts everyone at greater risk. Public disclosure like this, especially with a major vulnerability, ensures the widest possible distribution of the information among malicious attackers, and instills a sense of urgency to attack before a patch is available.
This is absolutely a ‘drop everything and fix it’ moment for Apple. This vulnerability requires no skill to exploit and provides complete access to the affected systems,’ says Tim Erlin, VP of Product Management and Strategy at Tripwire.
Commenting on how the security bug may pulverise IT systems at hundreds of organisations that use macOS as their primary computing platform, Erin said that Organisations ‘should step up monitoring of their Mac systems for root login activity as a mitigating control while they apply the recommended workaround’.
According to the BBC, Ergin, the researcher responsible for highlighting the security bug, hasn’t yet stated why he chose Twitter to inform Apple about the bug. However, in a new blog post, he wrote that the issue had already been highlighted by some people and that he was himself made aware about the security bug by the infrastructure staff at the company he works for.
‘The issue was very serious. It has already been mentioned in forums and revealed publicly few weeks ago. I thought I had to ask Apple “are you aware of it?’ he wrote.
‘I have no intention to harm Apple and Apple users. By posting the tweet, I just wanted to warn Apple and say “there is a serious security issue in High Sierra, be aware of it and fix it”.
‘Simply saying, I am not the one who discovered the security bug, but the one who make it more visible in public by mentioning it via Twitter,’ he added.
Even though Apple hasn’t commented yet over the researcher having breached disclosure norms, a number of security researchers have said that Ergin deserves to be sued for making the bug public and endangering the security of almost every MacOS user out there.
‘I fully support @Apple suing you for this. Learn how to disclose security bugs before you call yourself a “Software Craftsman”,’ wrote Amir Obidi, a software developer.
Apple has promised that it will bring in a fix for the security bug soon and has asked users to follow certain steps to ensure that their Macs are not infiltrated by malicious actors looking to exploit the bug.
‘We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section,’ said Apple.
However, Peter Havens, Director of Product Management at Centrify, says that the security bug in macOS is a result of a ‘fundamental but ignored gap in enterprise security’.
‘For many companies, the practice of reusing the same local admin password for every endpoint, and rarely, if ever, changing it continues to be common practice. If that password becomes exposed through phishing or credential theft then the attacker has unfettered access to every endpoint in the organisation.
‘All local admin accounts (including the root account on Macs) should have unique passwords that are randomly created and regularly rotated. An easy way to accomplish this is through the use of local admin password management (LAPM) solution. With a LAPM, authorised users can check out the local admin password for remote management or to temporarily grant admin rights to the device’s primary user,’ he adds.
Like all other operating systems, macOS is a complex computing platform and every new version of the OS comes with security flaws and vulnerabilities that are subsequently fixed after being highlighted by security researchers or internal security teams.
In July, Apple released a comprehensive security update package that contained patches for as many as 47 security flaws in iOS, macOS, and WatchOS devices. Before it was patched by the July update, the firm’s WebKit browser engine for iOS and Safari contained as many as 23 security flaws which rendered it vulnerable to remote code execution by malicious actors.