20 hours ago, Lemi Orhan Ergin, a software craftsman from Turkey, tweeted Apple to draw the latter’s attention to a security issue. It was not a vulnerability that required advanced skills to exploit.

Yes, one could simply enter the user name root without any password at the login prompt of MacOS High Sierra and administrative access would be granted. Users from a Unix background are familiar with the term root1 superuser. It’s akin to Microsoft Windows administrator if that makes it simpler for non-Unix, non-Linux, non-MacOS users.

The hours that followed resulted in a social network frenzy with users confirming that they indeed got superuser access following Lemi’s instructions. The news spread online from Twitter to Reddit2, WIRED3, Computer World4, CNET5, Business Insider6 and many more. I’m sure you can find the stories elsewhere written in various flavours.

I’m not a Mac user and I do not have a MacOS High Sierra within reach in order to reproduce the root access flaw. However, my developer colleague and friend Sandeep Ramgolam tested it and posted a video on his Twitter account.

Quick Fix

I imagine you’re like jaws dropped in astonishment, uncertainty, amusement and perhaps even fear. You’re surely wondering how to fix it, whether Apple has reacted and released a patch yet, etc? The good news is that a quick workaraound is as simple as setting a password for the root account. Until Apple patches the flaw, a strong root password could save you from unnecessary trouble by annoying classmates, colleagues, etc who have fun posting from other people’s computers.

At the time of writing this blog post there was still no reaction from Apple. In fact, if you’d be curious enough and would want to tag Apple in Tweets, know that Apple has not ever tweeted. 🤔

Apple Twitter account

Update

CVE-2017-13872 was assigned to macOS High Sierra with the following description7;

An issue was discovered in certain Apple products. macOS High Sierra before Security Update 2017-001 is affected. The issue involves the "Directory Utility" component. It allows attackers to obtain administrator access without a password via certain interactions involving entry of the root user name.

Apple published8 Security Update 2017-001.

Available for: macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.

Reuters9 reported Apple saying that it would audit its software development process.