You're not connected to the Internet.
Know-how 1923

Security flaw in macOS High Sierra: All you need to know about Apple’s bug and how to protect your Mac

A security flaw has been discovered in Apple’s macOS High Sierra operating system. But not just any flaw; this one is really bad and extremely easy to exploit. I’ve tested it and have summarised all you need to know – including how to protect your Mac.

Apple’s hardware is good. Apple’s software is good. Everything Apple does is no less than good. This also applies to the security flaws in their system. The one that was discovered yesterday is not just a bug, it’s a good one. And by good, I mean major.

To verify the news, I grabbed a Macbook from one of our designers and tried it out. The result: Yes, it’s a security flaw and yes, it’s really bad.

Username root, no password

Exploiting this security gap is easy. Remember the window that asks you to re-enter your password to access resources? You’ll find it in the system preferences. It’s the one that pops up when you’re changing settings and asks you to enter the username and password for your account. In my case, the username is «Creation» and the password is a well-kept secret.

Creation might not have access to resources. This happens often in companies where the internal IT department handles all devices and some system preferences can’t be adjusted by individual employees. In this case, you can only get access if you have the administrator password.

When this window appears, enter the following user name:

root

Leave the password empty and press enter. If it doesn’t work at first, just repeat pressing enter and it will work eventually. When we tested it at the office, we never needed more than two attempts.

That’s it, you now have access to the resources and you can change any system preferences as you wish. Lemi Orhan Ergin, a Turkish Information Security Researcher, discovered this flaw yesterday and took to twitter to share his findings.

This is worrying.

How to prevent unauthorised access to your Mac

The good news for users is that you can fix this security gap just as easily as you can exploit it. Just change the root password. To do so, you need to activate the root user, as this user is deactivated by default.

  1. Go to the Apple menu
  2. Choose System Preferences
  3. Click Users & Groups (or Accounts)
  4. Click the padlock symbol on the bottom left
  5. Enter your name and password or the root hack described above
  6. Click Login Options
  7. Click Join (or Edit)
  8. Click Open Directory Utility
  9. Click the padlock symbol in the Directory Utility window and enter your password or the root hack
  10. From the menu bar: Choose Edit > Enable Root User
  11. Enter the password that you want to use for the root user

If you’re looking for a shorter solution, open a terminal and enter this command line:

sudo passwd -u root

Isn’t it ironic that you can prevent a hack with a hack? Just saying.

Apple will probably release a software update to address this issue within no time. The solution is rather simple: The structure and implementation of the root user can’t be changed, but Apple can disallow empty password fields.

What have we learned? Next time Apple asks you to install an update, do it.

Who or what is root? My Mac doesn’t have it

The root user is one of the default accounts on Unix-based systems. Apple’s macOS is Unix-based. It’s not surprising that an account which is called «root» is extremely important. In fact, it’s the most important account in the system.

root is the system’s administrator account. It can’t be removed.

This account has all rights on the computer or network, making it an extremely powerful tool. The equivalent user on Windows is called «Administrator».

Well, that’s it. All that’s left to say is change the password of your root account and install the update as soon as it’s available. Stay safe!

User
Journalist. Author. Hacker. My subjects generally revolve around Android or Apple’s iOS. I also feel strongly about IT security. In this day and age, privacy is no longer a minor matter but a strategy for survival.

19 comments

User TomPat64

High Sierra. Low Security.

29.11.2017
Report abuse

You must log in to report an abuse.

User jeevanandk

Die Entwickler und Tester waren wohl high.

29.11.2017
Report abuse

You must log in to report an abuse.

You must be logged in to reply to a comment

User romanfrey

Der Patch wurde gerade von Apple veröffentlicht.

29.11.2017
Report abuse

You must log in to report an abuse.

User netzhuffle

Und das in unter 24 Stunden. Nicht schlecht!

29.11.2017
Report abuse

You must log in to report an abuse.

User account

Und wurde mit mac OS 10.13.1 bereits wieder rückgängig gemacht aus Versehen. Unglaublich.

02.12.2017
Report abuse

You must log in to report an abuse.

You must be logged in to reply to a comment

User amigafreak

Ich habe mich schon immer gefragt, warum der root-account vom unix beim macOs kein Passwort hat und es per default nicht gesetzt wird. Das erste was ich an jedem mac mache ist das root-Passwort zu setzen. Fand das schon immer äusserst kritisch. Aber die markanten Sicherheitslücken im macOS häufen sich

29.11.2017
Report abuse

You must log in to report an abuse.

User netzhuffle

Weil er normalerweise eigentlich nicht benutzt werden kann. Tja, normalerweise.

29.11.2017
Report abuse

You must log in to report an abuse.

User amigafreak

@Netzhuffle: es gibt einen Account auf dem System der vollen Adminzugang hat und nicht passwortgeschützt ist. Auch wenn durch das Apple-Gebastel oben drauf dieser Account versucht wird zu entmachten, ist dies ein potentieller Angriffspunkt. Also warum wird dieser Account nicht standardmässig bei der Installation mit einem Passwort abgesichert?

30.11.2017
Report abuse

You must log in to report an abuse.

You must be logged in to reply to a comment

User Anonymous

Apple hat gestern reagiert und ein Security Update herausgebracht. support.apple.com/en-us/HT2... Sollte automatisch auf euren Systemen installiert worden sein.

30.11.2017
Report abuse

You must log in to report an abuse.

User Anonymous

sowas hätte NIE und Nimmer auf den Markt kommen dürfen, patch hin oder her. Aber MS ist da nicht besser.

30.11.2017
Report abuse

You must log in to report an abuse.

User Anonymous

lol warum auch immer dieser kommentar downvotes hat 🤷‍♂️

30.11.2017
Report abuse

You must log in to report an abuse.

You must be logged in to reply to a comment

User Anonymous

So ein Artikel kann nur vom Digitec Hacker persönlich kommen.. Wer nennt sich bitteschön Hacker oder "Journalist. Autor. Hacker.".
Lächerlich sowas

30.11.2017
Report abuse

You must log in to report an abuse.

User olivermart

Also ich mag Dominiks Artikel. Sie helfen vor allem weniger versierten Benutzern, was ich eine extrem gute Sache finde.

30.11.2017
Report abuse

You must log in to report an abuse.

User Anonymous

Es mag sein das seine "Artikel" mehr Anklang finden bei Alltags-Anwender. Aber es braucht schon etwas mehr bevor man sich mit Titeln schmücken sollte. Selbst die Rechtschreibung lässt zu wünschen übrig.

30.11.2017
Report abuse

You must log in to report an abuse.

User fumo

@Oliversmart nein sie führen euch meist in die Irre, ihr könnt (und wollt) es nur nicht besser wissen ;)

30.11.2017
Report abuse

You must log in to report an abuse.

You must be logged in to reply to a comment

User MystikReasons

Typisch Apple. Überteuerte Produkte und inklusive bekommt man schlechte Sicherheitsmassnahmen. :)

29.11.2017
Report abuse

You must log in to report an abuse.

User smouker

Nicht nur das...

Siehe Hier:
heise.de/mac-and-i/meldung/...

Hier:
heise.de/mac-and-i/meldung/...

und hier:
heise.de/mac-and-i/meldung/...

Apple erlaubt sich zurzeit einige Peinlichkeiten.

01.12.2017
Report abuse

You must log in to report an abuse.

You must be logged in to reply to a comment


Please log in.

You have to be logged in to create a new comment.

Corporate logo