[UNPATCHED] Major Apple security flaw grants admin access on macOS High Sierra without password

[ItsMitch]

PSA: Upgrading to macOS 10.13.1 will undo Apple’s patch for critical root vulnerability

 

@djdwosk97 thanks for letting us know!!

 

 

 

 

PREFACE; I don't know MUCH about Apple, I just use an iPhone every now and then, thank fuck I don't own a Mac.

Story went live from a guy on twitter who goes by Lemi Orhan Ergin, a security expert I guess found a huge flaw in the Apple Mac OS 10.13.1, 

Quote

 

There seems to be a major flaw in Apple’s macOS High Sierra operating system that allows anyone to log into a machine and gain system administrator access without so much as entering a password. The vulnerability was publicly disclosed on Twitter this afternoon; it’s not clear whether the problem was privately reported to Apple ahead of time, which is the encouraged practice when security vulnerabilities are uncovered. (The company maintains an invite-only bug bounty program)

 

 

 

Apple hasn't yet responded to comments from The Verge which I doubt that they'll respond really. Seems like they dun goofed, no idea why they only do an invite-only bug bounty program seems bit strange to me. Oh this can only be done on local systems it seems so if your laptop gets stolen, hackers can use this to punch into your system. 

 

 

His series of tweets:

 

Apple submitted a response to news outlets reporting the problem and issued the following: 

Quote

 

An Apple spokesperson said in an emailed statement: "We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section."

 

 

 

 

@hey_yo_ quick fix, can't quote properly, srry. 

Here's a quick fix to the vulnerability as per CNET's article https://www.cnet.com/how-to/how-to-fix-the-macos-high-sierra-password-bug/ 

• Click the Apple logo in the menu bar and select System Preferences (or search for it in Spotlight).
• Click Users & Groups.
• Click the padlock icon in the lower-left corner.
• Enter the password for your username.
• Click Login Options.
• Click Join or Edit next to Network Account Server.
• Click Open Directory Utility…
• Click the padlock icon in the lower-left corner and enter your password once more.
• In the menu bar, click Edit and select Enable Root User. If root user is already enabled, click Change Root Password…
• Enter a secure password and enter it a second time to verify.
• Click OK to finish.

Once you've set a root password, the exploit will no longer work. However, if you disable the root user before Apple issues a patch for High Sierra, it will cause the bug to work again.

 

Apple has finally released a security patch to resolve this "logic error" at 8 am, this update will be pushed out later today if you didn't get it.

Statement from Apple

Quote

 

Security is a top priority for every Apple product, and regrettably, we stumbled with this release of macOS.

When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8:00 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again

 

 

 

Sources: Thanks to Corin on ShareX's discord for bringing this up |  https://www.theverge.com/2017/11/28/16711782/apple-macos-high-sierra-critical-password-security-flaw

[Creed1]

Interesting 

[vanished]

Quote

Anyone can login as "root" with empty password after clicking on login button several times.

They said insanity was doing the same thing over and over and expecting a different result

They thought wrong

[ARikozuM]

4 minutes ago, Ryan_Vickers said:

They said insanity was doing the same thing over and over and expecting a different result

They thought wrong

We don't talk about that game, but we do talk about that game's villain.

[Ryujin2003]

And I thought it was already ready to by pass user login password on Mac... Thanks for making it easier guys!

 

Dear Apple,

 

You rock.

 

Best Wishes, and Warmest Regards...

[vanished]

1 minute ago, ARikozuM said:

We don't talk about that game, but we do talk about that game's villain.

I'm pretty sure that quote predates Far Cry 3

[TARS]

At least an easy fix would be giving root a password

[ARikozuM]

9 minutes ago, Ryan_Vickers said:

I'm pretty sure that quote predates Far Cry 3

As long as you don't talk about that game. 

[ProjectBox153]

The newest version of Mac OS X I use is 10.11 El Capitan, so I guess I'm fine. 

[ARikozuM]

3 minutes ago, TARS said:

At least an easy fix would be giving root a password

My mother has a iPhone 7 with TouchID... She didn't want to set a passcode nor use TouchID as it "would take too long". 

 

And before you ask: My mother wouldn't listen to me even if I were her pets' veterinarian. 

[ItsMitch]

7 minutes ago, ARikozuM said:

And before you ask: My mother wouldn't listen to me even if I were her pets' veterinarian. 

Considered buying a really ill pet and having no vets around?

[ARikozuM]

Just now, SC2Mitch said:

Considered buying a really ill pet and having no vets around?

I'm saying that she wouldn't listen to me even though I'm licensed and board-certified. 

 

#MothersKnowBest

[Shadestones]

I hope it gets patched quickly. This might be really bad for some people/companies.

[sof006]

Time to head to my nearest Apple store and cause some mischief  

[Matu20]

This sounds bad

[Septimus]

DrMacintosh countdown bet anyone?

[TARS]

1 hour ago, ARikozuM said:

My mother has a iPhone 7 with TouchID... She didn't want to set a passcode nor use TouchID as it "would take too long". 

 

And before you ask: My mother wouldn't listen to me even if I were her pets' veterinarian. 

Far more likely then doing a bios update for Intel processors 

[79wjd]

The issue doesn't exist in El Capitan, and presumably not in Sierra.....so ummm, how exactly did it show up in High Sierra....watcha doing Apple.

[mr moose]

2 hours ago, ARikozuM said:

My mother has a iPhone 7 with TouchID... She didn't want to set a passcode nor use TouchID as it "would take too long". 

 

And before you ask: My mother wouldn't listen to me even if I were her pets' veterinarian. 

I only have a pass-code thing because I haven't worked out how to turn it off on android.  For years I never had a code or swipe pattern.  If I lose my phone the only thing people will find out that they might not have already known is that I occasionally send my wife dirty txt's.

[suicidalfranco]

32 minutes ago, Septimus said:

DrMacintosh countdown bet anyone?

inb4 "Apple's resources are spread thin because of all the things they did this year" applelogetic excuse 

[vanished]

20 minutes ago, mr moose said:

I only have a pass-code thing because I haven't worked out how to turn it off on android.  For years I never had a code or swipe pattern.  If I lose my phone the only thing people will find out that they might not have already known is that I occasionally send my wife dirty txt's.

You should be able to just set "none" as a type of pin in the list that offers password, pin, swipe pattern, etc.

That is, unless you have encryption turned on.  I would assume it needs some sort of code to use that, and it's on by default now so keep that in mind.

[mr moose]

1 minute ago, Ryan_Vickers said:

You should be able to just set "none" as a type of pin in the list that offers password, pin, swipe pattern, etc.

That is, unless you have encryption turned on.  I would assume it needs some sort of code to use that, and it's on by default now so keep that in mind.

cheers.

[Nowak]

Don't worry guys, working as intended!

 

 

It's a FEATURE.

[WMGroomAK]

Best security around!  Who would ever seriously guess that a password was no password at all...

[PlayStation 2]

This sounds intentional for all the wrong reasons.