Apple password flaw exposed
APPLE users have noticed a troubling flaw in the company's Mac operating system which lets people circumnavigate password protocols to gain access to the computer.
Raising alarming privacy concerns, it means anyone with physical access to your MacBook or iMac can create a phantom profile that won't show up on real admin accounts if the machine is running the new High Sierra operating system.
In the device's System Preferences, under Users & Groups, you can click on the lock and gain system administrator access by simply entering the username "root" and leaving the password blank.
You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
After hitting enter a few times it grants access. Once that is done, the trick can be used to log into the computer at any time.
The flaw appears to have been first reported by software developer Lemi Orhan Ergin who tweeted the fault to Apple's support team this morning.
The flaw has been confirmed by a number of users and reported by various tech publications.
Just tested the apple root login bug. You can log in as root even after the machi was rebooted pic.twitter.com/fTHZ7nkcUp— Amit Serper (@0xAmit) November 28, 2017
As Forbes points out, while someone needs to have physical access to your computers, it is problematic in certain scenarios. For instance thieves now have an easy way to get into Apple Macs they've stolen and third parties like law enforcement officials could easily login to a suspect's private computer.
Most security flaws are so esoteric that normals like me can't really comprehend them, so I salute Apple for building such an accessible flaw. https://t.co/yAYMpd6duR— Tom Gara (@tomgara) November 28, 2017
The bug reportedly works for all aspects of the operating system that would normally require a password, meaning someone could also get access to your Apple Keychain which holds all your passwords.
If you want a quick way to protect against the flaw, it's probably wise to turn off any guest admin account so people can't enact the password workaround, or change the root password from your directory utility under Settings > Users & Groups > Login Options.
Apple has yet to comment on the flaw.