A critical bug found in mac High Sierra that allows an attacker to gain admin access even without knowing the password of the victim’s system as this bug enables the root superuser on mac with no password and security check.
This mac High Sierra bug is discovered by a software developer Lemi Ergin. The bug lets someone attempt login to administrator account using root username with no password on an unlocked Mac. The attackers can take the full control of mac systems by exploiting this bug.
In recent times, various bug reports impacted the reputation of Apple products. Apple doesn’t prefer to disclose the vulnerabilities until the patches get released to the public, but attackers take an advantage of Apple products vulnerabilities to expose lots of affected systems until the bugs get fixed.
Following are the steps of how attackers can create a new administrator account on any kind of Mac account (admin or guest) by exploiting this Mac High Sierra bug:
- Open System Preferences
- Choose Users & Groups
- Click the lock to make changes
- Type “root” in the username field
- Click on the password field and leave it blank
- Now click on unlock and it should allow you full access to add a new administrator account
On the other hand, you can also use the root trick on the login screen to gain access on Mac, but it works only after the feature gets enabled in System Preferences. After that, you can easily get the admin-level access directly from the locked login screen and access everything on the computer.
According to the report of Ergin, this bug is present in the current version of macOS High Sierra 10.13.1 and the macOS 10.13.2 beta. It seems a very serious problem for Mac users Apple should need to fix this bug as quickly as possible.
Until the bug is fixed, you should set the password for root account to prevent the bug from working. Following are the steps by which you can set the password for a root account:
- Open System Preferences.
- Choose Users & Groups.
- Click on the lock to make changes.
- Enter your administrator name and password.
- Click on “Login Options”.
- Choose “Join” at the bottom of the window.
- Select “Open Directory Utility”.
- Click on the lock to make changes and enter your username and password.
- At the top of the menu bar, choose “Edit”.
- Select “Enable Root User”.
- Now you can enter a password for the root user account.
This will secure your root account and no one can get root account access by leaving password portion blank.