20 hours ago, Lemi Orhan Ergin, a software craftsman from Turkey, tweeted Apple to draw the latter’s attention to a security issue. It was not a vulnerability that required advanced skills to exploit.
Yes, one could simply enter the user name root without any password at the login prompt of MacOS High Sierra and administrative access would be granted. Users from a Unix background are familiar with the term root1 superuser. It’s akin to Microsoft Windows administrator if that makes it simpler for non-Unix, non-Linux, non-MacOS users.
The hours that followed resulted in a social network frenzy with users confirming that they indeed got superuser access following Lemi’s instructions. The news spread online from Twitter to Reddit2, WIRED3, Computer World4, CNET5, Business Insider6 and many more. I’m sure you can find the stories elsewhere written in various flavours.
I’m not a Mac user and I do not have a MacOS High Sierra within reach in order to reproduce the root access flaw. However, my developer colleague and friend Sandeep Ramgolam tested it and posted a video on his Twitter account.
I imagine you’re like jaws dropped in astonishment, uncertainty, amusement and perhaps even fear. You’re surely wondering how to fix it, whether Apple has reacted and released a patch yet, etc? The good news is that a quick workaraound is as simple as setting a password for the root account. Until Apple patches the flaw, a strong root password could save you from unnecessary trouble by annoying classmates, colleagues, etc who have fun posting from other people’s computers.
At the time of writing this blog post there was still no reaction from Apple. In fact, if you’d be curious enough and would want to tag Apple in Tweets, know that Apple has not ever tweeted. 🤔
CVE-2017-13872 was assigned to macOS High Sierra with the following description7;
Apple published8 Security Update 2017-001.
Not impacted: macOS Sierra 10.12.6 and earlier
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
Reuters9 reported Apple saying that it would audit its software development process.
- How to enable the root user on your Mac or change your root password? [return]
- Anyone can login as “root” with empty password on MacOS High Sierra [return]
- Apple MacOS High Sierra security flaw lets anyone get root access, No Password Required [return]
- What to do about Apple’s shameful Mac security flaw? [return]
- How to fix the MacOS High Sierra password bug? [return]
- There’s an embarrassing and dangerous security hole in the latest Mac software (AAPL) [return]
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13872 [return]
- https://support.apple.com/en-us/HT208315 [return]
- Reuters: Apple to audit development processes after Mac bug discovered [return]