MacOS High Sierra bug al­lows any­one to ac­cess a Mac with blank pass­word

The Guardian Australia - - Technology - Sa­muel Gibbs and Matthew Weaver

A se­ri­ous se­cu­rity flaw found in the lat­est ver­sion of Ap­ple’s macOS High Sierra could al­low any­one to ac­cess locked set­tings on a Mac us­ing the user name “root” and no pass­word, and sub­se­quently un­lock the com­puter.

The se­cu­rity flaw, dis­cov­ered a cou­ple of weeks ago and dis­closed in an Ap­ple de­vel­oper sup­port fo­rum, has been shown to work within the soft­ware’s user pref­er­ences screen, among other lo­ca­tions. Once trig­gered, the same com­bi­na­tion will also by­pass the lock screen of Macs run­ning Ap­ple’s lat­est op­er­at­ing sys­tem.

Turk­ish soft­ware de­vel­oper, Lemi Orhan Er­gin, pub­li­cised the flaw on Twit­ter, call­ing the bug a “huge se­cu­rity is­sue”:

Ap­ple said it was “work­ing on a soft­ware up­date to ad­dress this is­sue” and ad­vised users to set a root pass­word to pre­vent unau­tho­rised ac­cess to Mac com­put­ers.

The bug does not ap­pear to af­fect pre­vi­ous ver­sions of macOS, in­clud­ing Sierra, El Cap­i­tan or older. It can re­port­edly be ex­ploited on an un­locked Mac, by­pass­ing se­cu­rity set­tings and al­low­ing things such as File Vault en­cryp­tion and the fire­wall to be turned off. It can also be ex­ploited at the lo­gin screen of a locked Mac – even af­ter a re­boot – if the bug has been used be­fore, and in some cases re­motely if a user has screen shar­ing en­abled.

‘This is really REALLY bad’

The se­cu­rity flaw was orig­i­nally de­tailed as a so­lu­tion to a user lo­gin prob­lem on Ap­ple’s de­vel­oper sup­port fo­rum. A de­vel­oper called Chethan Ka­math, writ­ing un­der the user­name chethan177, wrote on 13 Novem­ber: “On startup, click on “Other”. En­ter user­name: root and leave the pass­word empty. Press en­ter. (Try twice). If you’re able to log in (hur­ray, you’re the ad­min now).”

The so­lu­tion was then fol­lowed by ex­claims of sur­prise that Ap­ple’s soft­ware per­mit­ted such an ac­tion. Coy­oteDen said: “Oh my god that should not work, but it does. This is really REALLY bad. Some bug in au­then­ti­ca­tion is EN­ABLING root with no pass­word the first time it fails!”

Se­cu­rity ex­perts warned that the se­cu­rity hole was both em­bar­rass­ing for the com­pany and dan­ger­ous, al­low­ing any­one with phys­i­cal ac­cess – and in some in­stances re­mote ac­cess – to a Mac com­puter to gain full ac­cess to user data.

Ed­ward Snow­den com­mented on the bug say­ing: “Imag­ine a locked door, but if you just keep try­ing the han­dle, it says “oh well” and lets you in with­out a key.”

Ex­perts also warn against try­ing out the bug for your­self, as once en­abled the flaw can then be more eas­ily ex­ploited even on a locked Mac.

“By test­ing this vul­ner­a­bil­ity on your own com­puter, you’ll end up creat­ing (or mod­i­fy­ing) a per­sis­tent root user ac­count on your sys­tem. The danger here is that, by creat­ing such an ac­count, it will af­fect re­motely ac­ces­si­ble ser­vices such as Re­mote Desk­top,” Keith Hoodlet, a se­cu­rity en­gi­neer at Bugcrowd told CSO.

iOS flaw lets hack­ers ac­cess iPhones us­ing an iMes­sage

The se­cu­rity flaw was ini­tially dis­cov­ered a cou­ple of weeks ago and dis­closed in an Ap­ple de­vel­oper sup­port fo­rum. Pho­to­graph: Ap­ple

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.