A new security flaw has cropped up on Apple’s macOS High Sierra and it can be quite dangerous. This vulnerability allows miscreants to directly access a macOS system and change personal files without needing any password.
The vulnerability was publicly disclosed by Turkish software developer Lemi Orhan Ergin via a tweet. Basically, it allows a user to gain access and make changes in a macOS machine by opening System Preference>Users & Groups. Following this, they just have to click the lock, enter the word ‘root’ in the username field, select the password field (keep it empty) and tap the ‘Unlock’ button. While this looks more of an effortless process to unlock a system, it’s a major security threat that potentially risks stealing away your personal data.
Upon granting access to the System Administrator account it lets one view files stored in all users account and even edit credentials of other users. However, if the system already has a root user enabled, hackers won’t be able to take advantage of this security hole.
Several publications have reached out to Apple and the company has confirmed that it is working on a software update to fix the issue.
“We are working on a software update to address the issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012M. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the “Change the root password” section,” Apple in a statement said.
Notably, on Apple’s support page it is mentioned that the root user is disabled by default. We had a quick chat with prominent Apple expert, Preshit Deorukhkar, Editor in Chief – Beautifulpixels.com, to discuss this issue. He too concurred that the simplest fix for the vulnerability as of now would be to set a root password. This is how you can enable it in macOS:
If you have already enabled the Root user account and want to change the password, simply tap the Directory Utility, and in the menu bar you will find Change Root Password. Select that and create a strong password. This should shield your system from the latest vulnerability.