Stories
Slash Boxes
Comments

SoylentNews is people

Breaking News
posted by martyb on Thursday November 30 2017, @07:56AM   Printer-friendly
from the Security?-We-don't-need-no-steenkin-security! dept.

You can log in as root on the latest version of MacOS by pressing enter on the login prompt a few times. Just type in root as the user and press enter. There you go no password required.

Not sure what else to say; is this the stupidest massive security hole ever?

From Extreme Tech:

Reproing the bug is simple (at least until Apple fixes it): Type the login "root," then move the cursor into the password field and hit enter several times. It also apparently works if you simply hit the "login" button several times rather than using the keyboard, though a few tries may be necessary.

This was also reported at Ars Technica. Beware that the behavior seems to be that if you do not already have a root account with a (preferably strong) password, this bug essentially creates a root account with an empty password. Attempting this on your own system should be followed up by ensuring that any root a count has a strong password.

There is a patch that has just been made available; again according to Ars Technica:

Yesterday we learned that Apple had made a serious security error in macOS—a bug that, under certain conditions, allowed anyone to log in as a system administrator on a Mac running High Sierra by simply typing in "root" as the username and leaving the password field blank. Apple says that vulnerability has now been fixed with a security update that became available for download this morning on the Mac App Store. Further, the update will automatically be applied to Macs running High Sierra 10.13.1 later today.

Apple's brief notes for this security update (Security Update 2017-001) explain the bug by saying, "A logic error existed in the validation of credentials," and claims the problem has been addressed "with improved credential validation."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Funny) by Anonymous Coward on Thursday November 30 2017, @11:46AM

    by Anonymous Coward on Thursday November 30 2017, @11:46AM (#603392)

     

    Starting Score:    0  points
    Moderation   +1  
       Funny=1, Total=1
    Extra 'Funny' Modifier   0  

    Total Score:   1