A huge security issue with Apple's most recent operating system update for Mac allows anyone to log into devices running the OS without a password. The vulnerability was reported yesterday by a software developer on Twitter.
The macOS High Sierra bug was discovered last week by a member of the infrastructure staff at iyzico, a Turkish payment management platform provider, according to Lemi Orhan Ergin, a "software craftsman" at the company. Ergin said staff members reported the vulnerability to Apple on Nov. 23, and he disclosed the flaw publicly in a tweet on Tuesday.
Anyone running macOS High Sierra can resolve the issue quickly with a "simple fix," security writer Brian Krebs noted yesterday: "Change the root account's password now."
One of Apple's 'Most Embarrassing Vulnerabilities'
News of a vulnerability that opens up password-free root access to any Mac device running High Sierra shocked many users and security experts.
"The Mac OS High Sierra 'root' user bug is insane... just tried it for myself & cannot believe it actually worked," tweeted programmer William LeGate. "I can't think of anything worse that has been shipped by a major operating system in the past decade."
Forbes writer Thomas Fox-Brewster wrote yesterday that the bug "may go down as one of the most embarrassing vulnerabilities in Apple history."
One small bright spot may be that the vulnerability requires local access and appears difficult, though not impossible, to exploit remotely. This led multimedia developer Greg Edwards to tweet, "Are you running Mac OS High Sierra, and if so, when will you be away from your desk for 10-15 minutes today?"
"We are working on a software update to address this issue," Apple said in a statement to news outlets. "In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section."
Reactions to Bug 'Like a Blast'
In a Medium post today, Ergin today said his Twitter disclosure about the Mac bug was met with "many reactions like a blast." He added that his intent with yesterday's tweet wasn't to harm Apple or Apple users, but to "warn Apple and say 'there is a serious security issue in High Sierra, be aware of it and fix it."
While Ergin's disclosure has received widespread attention, the bug was actually reported earlier this month in a Apple Developer Forum thread about macOS High Sierra. A user responding to a question about creating an admin account in the operating system noted on Nov. 13 that one solution was to log in at startup with the username "root" and an empty password.
"Oh my god that should not work but it does," another user responded yesterday on the forum. "This is really REALLY bad. Some bug in authentication is ENABLING root with no password the first time it fails!"
Several experts have lambasted Apple for allowing the vulnerability in the first place.
"This is pretty bad of Apple," noted security writer Graham Cluley, who also took the company to task two months ago for another macOS High Sierra bug that displayed a user's password in plaintext upon clicking the "Show Hint" button.
In the case of a fix for this latest vulnerability, "I would imagine [Apple] will be pushing it out as a high priority," Cluley said. When that happens, "Make sure to update your Macs and MacBooks at your earliest opportunity after it is released," he added.