Apple: New vulnerability is closed, but remains embarrassing

Written by Andy Prosper

The Apple new macOS has a serious and simple vulnerability that makes any user without problems the admin of a system. In this article, we summarize the current information.

Some backdoors in a system do not require extensive research, they do not need expensive security research, even complicated source code. “Dear @ Apple Support, we have discovered a HUGE vulnerability in MacOS High Sierra,” writes Turkish programmer Lemi Orhan Ergin on Twitter. Then he executes what could not be simpler: “Anyone can log in as root without a password after having typed in the login multiple times. Are you aware @ Apple? ”

The problem concerns macOS 10.13, better known as High Sierra, in its versions 10.13.1 and apparently beta versions of 10.13.2. The root account is actually only for the administrator, who should have full control of a computer – the error is the access but open to every user. For example, if an employee has admin access to his company’s network, he can install any software he wants. Likewise, it could override the company’s protections or gain access to critical systems. Apple IDs can also be removed. Until the vulnerability has been eliminated, you should not leave your Mac lying around unobserved. We bring¬†the right comparison: If you forget the door in a newly built house, it makes Burglars more than easy.

To do this, a user only has to select a function in the system settings that requires admin access – for example, setting up a new account on the computer. Who then clicks on the lock symbol and enters there as a username “root”, no longer needs a password. Simply patiently click on “Unlock” several times and after a few tries, you are in it.

Heise Online reports that the error also occurs during system login. As long as users can enter their own username instead of selecting it from a list, they will enter the system with “root”.

Apple itself has responded by now and offers a security update. Details and instructions can be found here. An Apple spokesman told us. “We deeply regret this mistake and apologize to all Mac users.”

Root access is not the first security issue with macOS High Sierra. Shortly after its release, a former NSA analyst had posted a video on the Internet showing a vulnerability in the operating system. Patrick Wardle, now senior researcher at the US security service Synack, got according to their own information access to the keychain – and thus spied on usernames and passwords.

About the author

Andy Prosper