And there's no security check, according to developer Lemi Ergin, who spotted the bug.
The vulnerability allows any person to access the administrator's account on an already unlocked Mac. Press Return or click the Unlock button a few times - I've seen it both accept on the first try and require a couple of additional tries. All you need to do is set a password for your root account (even if you never plan on using it), and no one will be able to use it to login to your Mac. After signing in as a guest, it was possible to change security settings and install apps and software updates from the Mac App Store, just by typing the user name "root".
At this point, you should have full admin access from the locked login screen.
Despite suggestions that the flaw can be mitigated by disabling the computer's guest account, this will not work - it simply restarts the computer with Safari the only application running. Those running previous versions of MacOS including Sierra and Yosemite do not appear to be affected by the bug.
We have reached out to Apple and will update this article when we hear back.
The current release of macOS High Sierra, version 10.13.1, has a bug that allows someone with physical access to your machine to bypass the log-in screen and access your data.
Apple hasn't commented yet, but in the meantime, don't let anyone physically use your Mac computer if you're not there until Apple issues a fix. This gives the attacker access to all administrator preferences in System Preferences...but that's only the beginning: this also enables a new, system-wide root user with no password.
Apple's support team on Twitter replied to Ergin's tweet, which now has more than 3,500 retweets: "Let's take a closer look at what's happening together".
- Athos Capital Ltd Acquires New Holdings in Exxon Mobil Corporation (XOM)
- Why 49ers Appear Intent To Give Jimmy Garoppolo Franchise Tag In 2018
- Search underway for missing North Carolina child
- Former 'Glee' actress Naya Rivera arrested for domestic battery
- Argentinian Erik Lamela set to return for Spurs trip to Leicester
- Miss South Africa Demi-Leigh Nel Peters Wins Miss Universe 2017
- South Korea broadcasts updates on injured defector's condition via DMZ loudspeakers
- Green Bay Packers: Three Key Matchups and Prediction vs. Pittsburgh
- Shockers to host NCAA Tournament games for first time
- Local organizations asking for support on Giving Tuesday