A root access flaw in Apple's macOS High Sierra 10.13.1 makes it possible for anyone to log into the system by typing “root” into the name field.
“We noticed a *HUGE* security issue at MacOS High Sierra,” tweeted security researcher Lemi Orhan Ergin, who first discovered the flaw. “Anyone can login as ‘root' with empty password after clicking on login button several times.”
Ergin noted in another tweet that “You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use ‘root' with no password.”
“The MacOS High Sierra vulnerability is alarming because it makes it seamless for someone to log into a system as root. While there are other methods that can provide bad actors with access and password reset capabilities via physical access, these require some technical knowledge and time,” said JASK Director of Cybersecurity Rod Soto, who has tested and verified the flaw. “The severity of this is how simple and quick anyone can execute the method and log in to reset and access user information even if their passwords are complicated.”
Once in, bad actors could “also install backdoors and disable any other protections on the device,” Soto said.
However, he noted, “it is expected that every corporate department that issues these types of devices would add passwords to root accounts as standard operating procedure.”
“This incident is a good reminder that system admins need to be prepared for worst-case scenarios by layering multiple digital security systems,” said Mike Buckbee, security engineer at Varonis.
“Modern computing is built up with layers upon layers of different interacting software systems,” said Buckbee. “With so many interactions, this virtually guarantees that serious vulnerabilities are going to be present.”
Even with massive efforts to QA and harden systems” inevitably “something, somewhere is going to be missed,” he said. “For an enterprise to be secure it can't focus solely on the systems and vulnerabilities, but needs to look at the behavior of accounts, traffic and data on individual computing devices and the network.”
Buckbee said the flaw also underscored the threat that physical access poses. “If left for just a few moments in the wrong hands, your device could easily be compromised,” he said.