Fix for Apple's MacOS root password flaw is here

30 November, 2017, 12:41 | Author: Devin Moran
  • Lemi Orhan Ergin on Twitter:

Apple's latest MacOS High Sierra operating system has a very serious flaw that can allow anyone with access to a Mac gain root access by simply typing "root" as the username. "This is best, easiest way ever to get root, and Apple has handed it to them on a silver platter".

Apple's official policy of saying nothing about security issues until a fix is out meant that there wasn't much to go on once the news broke, except to assume that Apple's programmers were frantically coding up a fix...

But it turns out that the problem was highlighted in Apple's developer forums two weeks ago. When prompted for username and password, type username: root and leave the password empty. Apparently, this also works on FileVault in the MacOS which makes this bug quite devastating.

For many companies, the practice of reusing the same local admin password for every endpoint, and rarely, if ever, changing it continues to be common practice. It can also be exploited at the login screen of a locked Mac, even after a reboot, if the bug has been used before, and in some cases remotely, if a user has screen sharing enabled.

Security experts warned that the security hole was both embarrassing for the company and unsafe, allowing anyone with physical access - and in some instances remote access - to a Mac computer to gain full access to user data.


Developer Lemi Orhan Ergin publicly informed Apple about the security issue via Twitter on November 28, and was criticized by some for doing so out of fear that the bug would be more widely exploited.

Apple customers have found a login error for the High Sierra operating system where you can login into the system without a password putting the user's data and information at risk. This simple action gives complete superuser access rights to the system exposing all user data.

The security flaw was discovered by Lemi Ergin, a Turkish software developer.

The vulnerability was publically revealed on Twitter earlier, but it's unknown whether or not Apple was alerted to it beforehand.

The flaw has since been closed by Apple with an update released Wednesday morning.

Recommended:



Popular

Illinois Sues Uber Over 2016 Data Breach
A spokesman for Uber told the BBC the firm is not able to clarify how many United Kingdom drivers are included in the 2.7 million. If that penalty were applied to each of the affected drivers in Washington, it would total almost $22 million in penalties.

Trump won't campaign for Alabama candidate Roy Moore
Two women have accused Moore of sexually assaulting or molesting them decades ago, when he was in his 30s and they were teenagers. Trump followed that up with tweets over the weekend saying that Jones would be a puppet of Washington Democrats if elected.

What to Know About Meghan Markle's Affordable, Yet Chic Engagement Coat
Prince Harry and Meghan Markle have been a couple officially since November 2016 and are due to marry in Spring 2018. It's unlikely the Queen will attend as Markle is a divorcée and was previously married from 2011 until 2013.

WashPost: CNN Set Itself Up for Trump's Weekend Attack
On Sunday morning, Hayden tweeted his dismay with Trump's comments, going so far as to suggest his career has been " wasted ". We all know how Donald Trump likes to bash his "enemies" on Twitter, and the CNN network is no exception.

LG V30 Gets Android Oreo Beta Update
The smartphone was shipped with Android 7.1 in the USA market, which left users anticipating the update for Android 8.0 Oreo. The Oreo update will bring considerable improvements to the U11, concerning the performance and battery life.

Rothschild's Koch Connection Pays Off in Pursuit of Time Inc
The publishing giant has a portfolio of 17 television stations in 12 markets, which reach an estimated 11% of US households TVs. It was one of a handful of bidders that made competing offers for Time earlier this year, but the deal was scrapped.

Background checks for guns purchases set Black Friday record
A quick search of the NICS database shows the previous single-day record was on Black Friday 2016. USA Today reports there were 203,086 requests on Black Friday this year.

Michael Crabtree, Aqib Talib ejected for throwing punches during brawl
What do you want me to do? Talib just didn't like Crabtree's chain. . "So he wore it in front of me so I had to snatch it off". Three players were ejected during the first quarter of Sunday's game between the Denver Broncos and Oakland Raiders .

London Terror Scare Could Be Because Two Men Had an Argument
Anyone with any information can contact the British Transport Police on 0800 40 50 40 or text 61016 with reference 405 of 24/11. After an hour, police said they had found no evidence of any weapons or "shots fired" and reopened the station.

Florida teen detained at Buffalo border after grandma found in shallow grave
He said Mott was turned over to Buffalo police, who were coordinating with police in Jacksonville on the teen's return. She said a Jacksonville detective will fly to meet Logan on Saturday. "My gut tells me that he just ran".