Video: Apple MacOS High Sierra’s biggest changes aren’t visible
Apple, Apple, Apple. What are we going to do with you? In your most recent High Sierra macOS release, it turns out you’ve given a way for any local user to take over a Mac — lock, stock, and two smoking barrels.
This exploit doesn’t require any mad NSA-type hacker skillz. All you have to do is go to System Preferences, then Users and Groups, and click the lock to make changes. Then, enter “root” as your username without a password. Shazam! You’re in.
As on any Unix/Linux-based system, the root user can control all administration functions and can read and write to any file system, including those of other users. In theory, root is disabled on Apple systems unless expressly authorized. Wrong!
Once in, you can edit your own permissions. For example, want to give yourself administrator privileges? Sure! Or, you can set up new administration-level accounts. Once you’ve done that, you can do anything your heart desires within the system.
Turkish developer Lemi Orhan Ergin discovered the flaw and announced Apple’s remarkably stupid security mistake on Twitter.
I, and numerous others, have checked it. We’ve found that the hole is just as bad as you’d think. The problem has been confirmed to exist in macOS High Sierra 10.13.0, 10.13.1 (the current High Sierra release), and the macOS High Sierra 10.13.2 beta. Fortunately, it appears that you can’t hijack a system using this trivial trick remotely.
Apple has not confirmed that there is a problem nor has the company replied to a query asking for more details.
This makes four — count them, four — password-related security problems since High Sierra was released in September.
For the time being, you must — must — set a password for the root account. You can do this with the following command from the terminal:
sudo passwd -u root
Once you’ve set a password for root, the blank password trick won’t work.
So, what are you waiting on? Set the root already!