Apple MacOS High Sierra Password Glitch Root

Apple is "scrambling" to fix a major flaw in its latest operating system, according to CNBC.

Yesterday, a Turkish developer named Lemi Ergin noticed that it was possible to gain access to administrator rights on the MacOS High Sierra system without a password. He found that by entering the username "root" and leaving the password blank, he was able to get unrestricted access after repeatedly pressing the log-in button.

Apple apologized for the glitch.

"Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS," said an Apple spokesperson.

Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017

You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017

"When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra."

AdvertisementADVERTISEMENT

The Apple Support Twitter account invited Ergin to message it privately, saying, "Let's take a closer look at what's happening together."

Let's take a closer look at what's happening together. Send us a DM that includes your Mac model along with your macOS version. We'll meet up with you there. https://t.co/GDrqU22YpT
— Apple Support (@AppleSupport) November 28, 2017

But some Twitter users criticized Ergin for publicly discussing the flaw, since it could potentially present a security problem.

Why do you tweet about this, like you called it, huge security issue instead of contacting apple via mail in first place ? With this tweet you made this issue even bigger. Not very responsible.
— Fabian Sengbusch (@FabianSengbusch) November 28, 2017

wow really putting a lot of computers out there in the wild at risk with this tweet, huh
— icy (@icystorm) November 28, 2017

I fully support @Apple suing you for this. Learn how to disclose security bugs before you call yourself a "Software Craftsman".
— Amir Omidi (@aaomidi) November 28, 2017

But others defended him, with one user saying that "exposing it publicly lights a fire under Apple, forcing them to prioritize a fix."

Apple is going to sue someone for their own software flaws? That's rich. Exposing it publicly lights a fire under Apple, forcing them to prioritize a fix. Private disclosure lets them drag their feet.
— coolpup ? (@_coolpup_) November 28, 2017

While the company is working on a permanent solution, it's offering users a workaround on its website.

"We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused," said the spokesperson. "Our customers deserve better. We are auditing our development processes to help prevent this from happening again."

AdvertisementADVERTISEMENT