User Tweets significant security issue with macOS High Sierra to Apple Support

Wednesday, 29 Nov, 2017

And there's no security check, according to developer Lemi Ergin, who spotted the bug.

The vulnerability allows any person to access the administrator's account on an already unlocked Mac. Press Return or click the Unlock button a few times - I've seen it both accept on the first try and require a couple of additional tries. All you need to do is set a password for your root account (even if you never plan on using it), and no one will be able to use it to login to your Mac. After signing in as a guest, it was possible to change security settings and install apps and software updates from the Mac App Store, just by typing the user name "root".

At this point, you should have full admin access from the locked login screen.

Despite suggestions that the flaw can be mitigated by disabling the computer's guest account, this will not work - it simply restarts the computer with Safari the only application running. Those running previous versions of MacOS including Sierra and Yosemite do not appear to be affected by the bug.

We have reached out to Apple and will update this article when we hear back.

The current release of macOS High Sierra, version 10.13.1, has a bug that allows someone with physical access to your machine to bypass the log-in screen and access your data.

Apple hasn't commented yet, but in the meantime, don't let anyone physically use your Mac computer if you're not there until Apple issues a fix. This gives the attacker access to all administrator preferences in System Preferences...but that's only the beginning: this also enables a new, system-wide root user with no password.

Apple's support team on Twitter replied to Ergin's tweet, which now has more than 3,500 retweets: "Let's take a closer look at what's happening together".