A new bug has been spotted on macOS High Sierra that allows anyone to have root access to your system.
Those of you who have a MacBook or iMac will have seen and are probably on High Sierra. Unbeknown to many, people can actually access your Mac’s without knowing your password. However, they will need physical access to your Mac.
The Mac “Hack”
You are now probably worried. “Someone can access my Mac without my password?!”. At this current moment in time, yes, they can. However, Apple is working on a fix as we speak.
Regarding the hack, there are two possible types. The first type is those that require a flaw in the software and the other is not actually a hack at all. In fact, it is literally asking to be let in. Sounds crazy right?
You would be surprised how easy it actually is to break Apple’s security system.
Thankfully, this only affects those who have it set up to require a username and password when logging in. However, instead of using your actual log on, the person trying to gain access can simply type “root” in as the username. Now, you would probably expect to hear some overly complicated way to gain access. I’m afraid not, the person trying to gain access simply has to hit log in twice, with the password blank, and there you go. It’s really that simple and to many; very scary!
What is “root”?
Hackers around the world are constantly trying to gain access to the root directory. Many fail time after time as newer and more secure updates are released. However, Apple has simply handed root access to hackers on a big shiny silver platter.
Not only that, but the hacker literally has to do ZERO work to gain access.
But what is root? In simple, the root is an administrator account or known to many as a superuser. From the name superuser, you can probably tell that it is very powerful.
The scariest part, if the hacker gains access to your Mac and logs on as root, they can then do one simple step to then gain access to your Mac whenever and wherever they want. As with any user account, you can change the password. This is the exact same for the root user. This means that the hacker can quickly log onto your Mac as root, change the root password and then access it from the comforts of their own home.
Can it be fixed?
YES. This ridiculous bug in the Apple security system can be “fixed”. Apple is currently working on a fix that will be rolled out very soon. However, for those worries out there, you can fix it yourself.
Follow the steps below if you don’t want to wait for Apple’s fix;
Firstly, you want to navigate to the Apple menu (), then System Preferences followed by Users & Groups (Accounts).
Next, click on the little padlock and enter the admin name and password.
You will want to find the Login Options and then click Join or Edit.
Then, click Open Directory Utility and then the little padlock again. This will then prompt for the admin user and password again.
Finally, while in the Directory Utility, select Edit and then Change Root Password.
There you have it, your own little nifty fix to the annoying and possibly threatening bug Apple left in (an accident of course).
Why wasn’t it found sooner?
High Sierra has been out for a while, there have been a few minor updates but not once was there mention of this root hack. The reason is actually quite simple. Apple doesn’t offer a bug bounty for MacOS.
You might be confused as you have probably heard about Apple’s bug bounties. However, the only bounties they have are for iOS. There aren’t any for security vulnerabilities in MacOS. Therefore, no one was actually looking for any bugs in MacOS.
The only reason it was found now is due to a Turkish software developer, Lemi Orhan Ergin. Funnily enough, he wasn’t actually trying to hack MacOS. Instead, the security staff at his company found it after trying to help a user get back into their account.
Thankfully, it was reported to Apple and they have said they are working on a permanent fix. So sit tight and don’t let strangers access your Mac!
1 Comment
Reading your article helped me a lot and I agree with you. But I still have some doubts, can you clarify for me? I’ll keep an eye out for your answers.