Apple flaw allows MacOS High Sierra logins without passwords

Forum Moderators: travelin cat

Message Too Old, No Replies

Apple flaw allows MacOS High Sierra logins without passwords

travelin cat

9:42 pm on Nov 28, 2017 (gmt 0)

The latest version of Apple’s software has a glaring hole in it: you can login with just the username "root."
[cnet.com...]

robzilla

10:07 pm on Nov 28, 2017 (gmt 0)

Just tried it on my Macbook. Wow.

Chrispcritters

7:25 pm on Nov 29, 2017 (gmt 0)

A software update is available now.

engine

12:52 pm on Nov 30, 2017 (gmt 0)

It seems Apple will automatically install the fix on all systems running the latest version (10.13.1) of MacOS High Sierra at some point today.

phranque

2:44 pm on Nov 30, 2017 (gmt 0)

There is a temporary work around that involves enabling the root user and setting a password.
[support.apple.com...]

I haven't found anything that states whether or not this exploit actually provides root access to this username while the root user is disabled or if it is essentially a guest user.

engine

6:55 pm on Nov 30, 2017 (gmt 0)

I also found this

Repair file sharing after Security Update 2017-001 for macOS High Sierra 10.13.1

[support.apple.com...]

graeme_p

6:46 pm on Dec 1, 2017 (gmt 0)

@phranque, this article: [theregister.co.uk...]

says that it does provide root access

phranque

11:27 pm on Dec 1, 2017 (gmt 0)

thanks, graeme_p!
that's a good article...

travelin cat

11:37 pm on Dec 1, 2017 (gmt 0)

Ruh roh:
"Those who had not yet upgraded their operating system from the original version of High Sierra, 10.13.0, to the most recent version, 10.13.1, but had downloaded the patch, say the "root" bug reappears when they install the most recent macOS system update. "
[wired.com...]

Lorel

7:32 pm on Dec 2, 2017 (gmt 0)

I'm sure glad I didn't update to High Sierra yet. I had (and still have) a lot of bugs just upgrading to Sierra.