MacOS bug allows anyone to login without a password. What should you do?
If you are using MacOS Sierra 10.13.1 (17B48) version, all your data might be at risk. A new security flaw allows anyone with just a bit of knowledge to reach files on your Mac. Apple has already released a software update, so make sure to update your iOS as soon as possible.
Take a look at the video about the vulnerability and a possible solution:
What has happened?
The bug has been discovered by Lemi Orhan Ergin who noted it publicly on Twitter. He found this security hole in the latest shipping version of MacOS, High Sierra 10.13. This flaw lets to gain access to a Mac without entering a password. This leaves MacOs, High Sierra users vulnerable.
Because of yet unidentified failure in authorization mechanism when checking user’s credentials, “root” login is confirmed, giving user full administrator rights to their system. Users just need to select the logging in as a different user. However, this flaw though it is highly reproducible, might fail in some cases.
Since the existence of “root” user itself might be news for some Mac OSX users, and superuser accounts usually should be disabled, it is not the case this time.
“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.” – Apple comments.
What do you need to do right away?
You need to change your root password according to instructions below:
No one should leave their Mac unattended until this is resolved.
When enabling root password, please keep password hygiene in mind.
- Do not disclose your password to other people
- Choose a long password with 13+ symbols using alphanumerical symbols.
- Change your passwords frequently.