A recent update for Apple’s latest macOS left a huge security bug

By December 11, 2017 News

Apple first announced the successor to macOS Sierra, High Sierra, in June 2017 and released it to the Mac App Store the following September. Since then, they have applied three updates to the desktop operating system, the last of which created a serious vulnerability. It enables anyone with physical access to a Mac running High Sierra to be able to log in and enter without a password as long as they sign in as a Guest with the username “root.” They would then be able to obtain administrator privileges on the machine.

There are a couple ways to use this trick, but they all show up on both the current version of High Sierra and the new beta. Apple released another update the day after that ostensibly fixes the issue. Previously, the only suggested workaround was creating a new root password or changing the existing one to ensure no one else could get around the administrator authentication. Removing guest accounts entirely also works as a more direct way to prevent unwanted access.

This loophole was apparently caused by a logic error within the system that prevented proper credential validation. The bug was first brought to Apple’s – and everyone else’s – attention publicly on Twitter by software developer, Lemi Orhan Ergin, shortly after the update was launched. The public and speedy revelation of the glitch likely enabled the tech giant to address it quickly. Though their operating systems are often known for having better than average security, some still have holes that can be exploited.

Apple’s security division announced a bounty system for reporting bugs in 2016 with payouts up to $200,000, though VICE’s Motherboard reported that this constitutes a fraction of what white hat hackers are normally offered. Certain firms will pay as much as $1.5 million to obtain zero-day exploits and resell them legally on the grey market. The good news is that errors such as the High Sierra login bug are not really common, but Mac users should still take steps to protect themselves, and consider speaking to a professional for a second opinion.