There's an embarrassing and dangerous security hole in the latest Mac software
Getty
- There's a bug in the latest version of MacOS that lets anyone log in to change settings with the username "root" and no password.
- Apple hasn't commented yet, but in the meantime, don't let anyone physically use your Mac computer if you're not there until Apple issues a fix.
People are upset with Apple over a nasty security flaw apparently discovered on Tuesday in the latest version of MacOS, called High Sierra.
On an up-to-date Mac, users can apparently gain access to change protected settings in certain circumstances by telling the system their username is "root" and a blank password.
Business Insider was able to replicate the bug on Tuesday. After plugging in "root" as our username and no password, it took two clicks to gain access to Users & Groups settings on a High Sierra system. The bug didn't work on Mac with older software.
Apple didn't immediately respond to a request for comment.
Here are the original tweets that spurred the outrage:
Lots of people are picking up on the problem, including NSA whistleblower Edward Snowden and other security experts.
This isn't the first major Apple security bug that's been discovered recently in MacOS. Earlier this year, Macs would apparently give out people's passwords when they clicked for a password hint.
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
- Lemi Orhan Ergin (@lemiorhan) November 28, 2017
You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs
- Lemi Orhan Ergin (@lemiorhan) November 28, 2017
Imagine a locked door, but if you just keep trying the handle, it says "oh well" and lets you in without a key. https://t.co/KBW4qntMdA
- Edward Snowden (@Snowden) November 28, 2017
Uh, that's not so good... https://t.co/DqE2KJx3x4
- Troy Hunt (@troyhunt) November 28, 2017
You can bypass Apple auth by using "root" and no password. Here's my reproduction of https://t.co/SYSsPjLfpx /facepalm pic.twitter.com/oLa1S3W6Ly
- Bill Mill (@llimllib) November 28, 2017
- A centenarian who starts her day with gentle exercise and loves walks shares 5 longevity tips, including staying single
- A couple accidentally shipped their cat in an Amazon return package. It arrived safely 6 days later, hundreds of miles away.
- FSSAI in process of collecting pan-India samples of Nestle's Cerelac baby cereals: CEO
- India's e-commerce market set to skyrocket as the country's digital economy surges to USD 1 Trillion by 2030
- Top 5 places to visit near Rishikesh
- Indian economy remains in bright spot: Ministry of Finance
- A surprise visit: Tesla CEO Elon Musk heads to China after deferring India visit
- Unemployment among Indian youth is high, but it is transient: RBI MPC member
- JNK India IPO allotment date
- JioCinema New Plans
- Realme Narzo 70 Launched
- Apple Let Loose event
- Elon Musk Apology
- RIL cash flows
- Charlie Munger
- Feedbank IPO allotment
- Tata IPO allotment
- Most generous retirement plans
- Broadcom lays off
- Cibil Score vs Cibil Report
- Birla and Bajaj in top Richest
- Nestle Sept 2023 report
- India Equity Market