Apple’s hardware is good. Apple’s software is good. Everything Apple does is no less than good. This also applies to the security flaws in their system. The one that was discovered yesterday is not just a bug, it’s a good one. And by good, I mean major.
To verify the news, I grabbed a Macbook from one of our designers and tried it out. The result: Yes, it’s a security flaw and yes, it’s really bad.
Exploiting this security gap is easy. Remember the window that asks you to re-enter your password to access resources? You’ll find it in the system preferences. It’s the one that pops up when you’re changing settings and asks you to enter the username and password for your account. In my case, the username is «Creation» and the password is a well-kept secret.
Creation might not have access to resources. This happens often in companies where the internal IT department handles all devices and some system preferences can’t be adjusted by individual employees. In this case, you can only get access if you have the administrator password.
When this window appears, enter the following user name:
Leave the password empty and press enter. If it doesn’t work at first, just repeat pressing enter and it will work eventually. When we tested it at the office, we never needed more than two attempts.
That’s it, you now have access to the resources and you can change any system preferences as you wish. Lemi Orhan Ergin, a Turkish Information Security Researcher, discovered this flaw yesterday and took to twitter to share his findings.
This is worrying.
The good news for users is that you can fix this security gap just as easily as you can exploit it. Just change the root password. To do so, you need to activate the root user, as this user is deactivated by default.
If you’re looking for a shorter solution, open a terminal and enter this command line:
sudo passwd -u root
Isn’t it ironic that you can prevent a hack with a hack? Just saying.
Apple will probably release a software update to address this issue within no time. The solution is rather simple: The structure and implementation of the root user can’t be changed, but Apple can disallow empty password fields.
What have we learned? Next time Apple asks you to install an update, do it.
The root user is one of the default accounts on Unix-based systems. Apple’s macOS is Unix-based. It’s not surprising that an account which is called «root» is extremely important. In fact, it’s the most important account in the system.
root is the system’s administrator account. It can’t be removed.
This account has all rights on the computer or network, making it an extremely powerful tool. The equivalent user on Windows is called «Administrator».
Well, that’s it. All that’s left to say is change the password of your root account and install the update as soon as it’s available. Stay safe!
You have to be logged in to create a new comment.
You're not connected to the Internet. Please check that your connection is enabled to keep browsing the site.