Anyone Can Change macOS High Sierra Passwords

[upnorth]

Quote : " If you're running macOS High Sierra, don't let anyone near your Apple Mac. It's possible for anyone to login to the Mac and get the admin level of access to change passwords, get access to all data on the main account and lock the original user out. Fortunately, there's a fix that should solve the problem, even as Apple works to patch.

First, the bug. In what may go down as one of the most embarrassing vulnerabilities in Apple history, all a "hacker" needs to do is sign in as an "Other" user, type in "root" for a username and no password. Then they're in.

Forbes tested the vulnerability and found it wide open, allowing a change of passwords for other accounts on the Mac. The initial finding came from Lemi Orhan Ergin, founder of Software Craftsmanship Turkey, who disclosed the bug via Twitter. "

Quote : " Whilst it would normally require physical access, and won't work if the Apple Mac is rebooted and has disk encryption enabled (and therefore requires another password), the attack opens up some serious issues. Thieves will now have an easy way into Apple Macs they've stolen, whilst the government can now quickly login to any devices they couldn't get into before. "

 

[upnorth]

Quote : " ...multiple Mac users have confirmed to WIRED that Apple's fix for that problem has a serious glitch of its own. Those who had not yet upgraded their operating system from the original version of High Sierra, 10.13.0, to the most recent version, 10.13.1, but had downloaded the patch, say the " root " bug reappears when they install the most recent macOS system update. And worse, two of those Mac users say they've also tried re-installing Apple's security patch after that upgrade, only to find that the "root" problem stillpersists until they reboot their computer, with no warning that a reboot is necessary.

" It’s really serious, because everyone said 'hey, Apple made a very fast update to this problem, hooray, '" says Volker Chartier, a software engineer at German energy firm Innogy who was the first to alert WIRED to the issue with Apple's patch. " But as soon as you update [to 10.13.1], it comes back again and no one knows it. "

' That is bad, bad, bad. '

THOMAS REED, MALWAREBYTES

Even if a Mac user knew to reinstall the security patch after they upgraded High Sierra—and in fact, Apple would eventually install that update automatically, as it has for other users affected by the " root " bug—they could still be left vulnerable, says Thomas Reed, an Apple-focused researcher at security firm MalwareBytes. After Reed confirmed that 10.13.1 reopened the " root " bug, he again installed Apple's security fix for the problem. But he found that, until he rebooted, he could even then type " root " without a password to entirely bypass High Sierra's security protections. "

Source : MacOS Update Accidentally Undoes Apple's "Root" Bug Patch