A root access flaw in Apple's macOS High Sierra 10.13.1 makes it possible for anyone to log into the system by typing “root” into the name field.
“We noticed a *HUGE* security issue at MacOS High Sierra,” tweeted security researcher Lemi Orhan Ergin, who first discovered the flaw. “Anyone can login as ‘root' with an empty password after clicking on the login button several times.”
Ergin noted in another tweet that “You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use ‘root' with no password.”
“The MacOS High Sierra vulnerability is alarming because it makes it seamless for someone to log into a system as root. While there are other methods that can provide bad actors with access and password reset capabilities via physical access, these require some technical knowledge and time,” said JASK Director of Cybersecurity Rod Soto, who has tested and verified the flaw. “The severity of this is how simple and quick anyone can execute the method and log in to reset and access user information even if their passwords are complicated.”
Once in, bad actors could “also install backdoors and disable any other protections on the device,” Soto said.
However, he noted, “it is expected that every corporate department that issues these types of devices would add passwords to root accounts as standard operating procedure.”
“This incident is a good reminder that system admins need to be prepared for worst-case scenarios by layering multiple digital security systems,” said Mike Buckbee, security engineer at Varonis.
“Modern computing is built up with layers upon layers of different interacting software systems,” said Buckbee. “With so many interactions, this virtually guarantees that serious vulnerabilities are going to be present.”
Even with massive efforts to QA and harden systems” inevitably “something, somewhere is going to be missed,” he said. “For an enterprise to be secure it can't focus solely on the systems and vulnerabilities, but needs to look at the behavior of accounts, traffic and data on individual computing devices and the network.”
Buckbee said the flaw also underscored the threat that physical access poses. “If left for just a few moments in the wrong hands, your device could easily be compromised,” he said.
Pete Turner, Consumer Security Expert at Avast said on the issue: “The lesson to learn here is that Macs are not magic. Their code is written by humans, they are used by humans and humans make mistakes. Setting a root password to prevent unauthorised access is sound advice. But an important takeaway from this issue should be that Macs aren't immune to systems vulnerabilities. Just like other systems, Macs need strong passwords and a good anti-virus to secure their data. Users can't afford to take security for granted. They need to be increasingly aware of risks like adware, malicious websites and phishing.
"Between January and November 2017, we blocked over 250 million malware threats aimed at our Mac customers. The most common type of malware attacking Macs is adware, which covers 17 percent (or 41 million detections) of these Mac threats. These insidious programs can affect your system in a number of ways, like sneaking suspicious files into your system, redirecting your web searches, and—of course—flooding you with ads".