This bug was spotted by software engineer Lemi Orhan Ergin (Twitter profile). He was able to bypass the security by putting the word “root” in the username field in a login window and hitting the enter button with password empty. He was able to log into the operating system with root privileges after a few tries.
This way, anyone can login to a computer just after a reboot. After hitting the enter button a few times, you’re instantly logged in as a superuser, getting read/write privileges on system files.
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
It’s also worth noting that this flaw was discussed on Apple Support Forum a couple of weeks ago, according to The Register, but nobody noticed its gravity:
Perhaps nobody noticed two weeks ago when the root login vulnerability in macOS High Sierra was shared as a helpful tip on Apple’s own Developer forums. https://t.co/P44gEId25d pic.twitter.com/sOiRt8j2X7
— Mike Myers (@fristle) November 29, 2017
By getting this kind of unfettered access, a mischievous being can cause damage to your machine by installing malware, stealing data, making changes to essential system files, etc. So, you are advised not to leave your Mac attended unless you fix this problem.
How to fix “login as root with no password” flaw in macOS?
While this bug is really embarrassing for Apple and it shows lack of testing by the engineering team, this flaw can be fixed in few simple steps until Apple releases an official patch. You can do so by setting a root password. To do the same, launch a Terminal window, type “sudo su” and authenticate it with your own password to become root. Now type “passwd” and follow the instructions to change the password. That’s all.
We hope that Apple is working to fix the issue as soon as possible and release an official patch.
What are your views on this macOS blunder? Share your opinions with other readers and us.