One more thing, this Mac update leaves you vulnerable.
Lemi Orhan Ergin became quite the popular fellow on Twitter today when he tweeted out a question to Apple. The question had to do with a security flaw he found in Mac OS High Sierra. This is no small flaw, and it’s shocking that something of this nature made it to public release. It’s enough to make you wonder if Apple does any real product testing, and will certainly leave you questioning the security of their products.
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
With this flaw, anyone, and I mean anyone, could take control of a Mac. The process, I refuse to call it a hack as it is so simple, can be done in seconds. Head to a user name and password window, type “root” in the user name box, leave the password blank, and hit the unlock button. If it doesn’t work? Just do it again. If you’re lucky, it may take a couple of tries. In the end, a new user is created with full admin access to the computer. They can add and remove other users, change settings, do anything they like, as the computer now recognizes them as the admin. This can even be executed remotely if screen sharing functionality is enabled.
There seems to be some question as to if the computer needs to be logged in the first time the process is used. Some that have reported on the issue claim that the first time, an “attacker” would need access to an unlocked computer, yet others have stated it works on the initial login screen. However it works, the login remains, even after the device has been rebooted, as seen in the following tweet.
Just tested the apple root login bug. You can log in as root even after the machi was rebooted pic.twitter.com/fTHZ7nkcUp
— Amit Serper (@0xAmit) November 28, 2017
Hackers primary goal is to gain admin access so that they can carry out their attacks. I’d be shocked if this was not the easiest way to gain admin access to date. Leave it to Apple to add convenience even for malicious actors.
Poor Lemi who initially tweeted out the flaw, has been bombarded by people angrily questioning why he tweeted out this information. Many have told him he should have submitted it as part of the bug bounty program. One lost soul even said Apple should sue him. Well, that’s a bit ridiculous. Yes, most researchers would inform Apple and wait for Apple to patch the bug before going public with it, but is there something that says someone has to? I suppose Apple should be exceptionally happy that Lemi didn’t simply sell off this bug to malicious actors. Additionally, it appears many Apple users are unaware that Apple doesn’t have a bug bounty program like most companies. Apple is notorious for underpaying bug bounties, as other companies will pay much more for iOS vulnerabilities. Apple’s bug bounty program is by invite only, and from what I can tell, only pertains to iOS. Also, Apple has been known to sit on vulnerabilities for months without fixing the issue.
This flaw going public as it has, has seemingly forced a response from Apple. Apple has released the following statement;
We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.
We shall see how long it takes Apple to correct this flaw.