Macs come with default administrator user accounts that can be used by the system and are disabled by default. A user on the Apple support forums discovered a software problem in High Sierra can cause the account to be turned on when exploited from the login screen.
Trying to login as the system “root” account with an invalid password inexplicably enables the account and clears its password. The procedure allows an attacker to access the Mac by using the “root” account again and leaving the password field blank. Apple’s yet to respond to the original forum post from two weeks ago, described by users as “really bad” and a trick that “should not work.”
It’s unclear why the root account gets enabled when it is accessed with an incorrect password. Although the exact mechanism is unknown, users have ascertained that the bug causes the root account password to get reset if authentication fails. An attack need only enter the username, specify a blank password and then press enter twice. On the second attempt, access is granted as an administrator user.
READ NEXT: Demand for automation to trigger workforce changes in 2018
In a comment on the bug, Edward Snowden likened it to a locked door that then breaks when you try to open it. “Imagine a locked door, but if you just keep trying the handle, it says ‘oh well’ and lets you in without a key,” Snowden wrote on Twitter.
For most users, the issue cannot be exploited remotely. However, advanced users who have intentionally enabled remote access to their Mac could be put at risk. There are also concerns that remote technical support programs could allow criminals to exploit the flaw, creating a new user account they could then persistently access. Security researchers warned users not to try to reproduce the problem without full understanding of the root account.
Apple’s confirmed it is working on a software update to address the underlying issues in the macOS authentication system. In the meantime, concerned users can follow the company’s advice to manually set a root user password. This will disable the login screen exploit by preventing the authentication failing due to a blank password field.
