There's an embarrassing and dangerous security hole in the latest Mac software
Getty
- There's a bug in the latest version of MacOS that lets anyone log in to change settings with the username "root" and no password.
- Apple hasn't commented yet, but in the meantime, don't let anyone physically use your Mac computer if you're not there until Apple issues a fix.
People are upset with Apple over a nasty security flaw apparently discovered on Tuesday in the latest version of MacOS, called High Sierra.
On an up-to-date Mac, users can apparently gain access to change protected settings in certain circumstances by telling the system their username is "root" and a blank password.
Business Insider was able to replicate the bug on Tuesday. After plugging in "root" as our username and no password, it took two clicks to gain access to Users & Groups settings on a High Sierra system. The bug didn't work on Mac with older software.
Apple didn't immediately respond to a request for comment.
Here are the original tweets that spurred the outrage:
Lots of people are picking up on the problem, including NSA whistleblower Edward Snowden and other security experts.
This isn't the first major Apple security bug that's been discovered recently in MacOS. Earlier this year, Macs would apparently give out people's passwords when they clicked for a password hint.
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
- Lemi Orhan Ergin (@lemiorhan) November 28, 2017
You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs
- Lemi Orhan Ergin (@lemiorhan) November 28, 2017
Imagine a locked door, but if you just keep trying the handle, it says "oh well" and lets you in without a key. https://t.co/KBW4qntMdA
- Edward Snowden (@Snowden) November 28, 2017
Uh, that's not so good... https://t.co/DqE2KJx3x4
- Troy Hunt (@troyhunt) November 28, 2017
You can bypass Apple auth by using "root" and no password. Here's my reproduction of https://t.co/SYSsPjLfpx /facepalm pic.twitter.com/oLa1S3W6Ly
- Bill Mill (@llimllib) November 28, 2017
- I got a $40K raise using this 30-second strategy. It made me realize loud work, not hard work, always wins.
- Qatar Airways' new CEO explains why it's sticking with the Airbus A380 as other airlines retire the costly superjumbo
- Prince Harry and Meghan found out about Kate Middleton's cancer diagnosis on TV like everyone else, report says
- Consuming excessive salt and inadequate potassium, protein is making North Indians prone to life-threatening diseases: Study
- Upcoming cars and two-wheelers launching in India in April 2024
- Ice melt in Antarctica and Greenland is slowing Earth's rotation, affecting timekeeping: Study
- Elections on a plate: Poll panels fix menu & expense ceiling for Samosa, tea, biryani & more
- Regenerative farming, cover crops will help farmers increase yields, reduce stubble burning: IDH CEO