Vulnerability discovered in macOS High Sierra

Turkish researcher Lemi Orhan Ergin discovered a serious vulnerability in macOS High Sierra. He discovered that if a criminal had physical access to a device he or she could unlock it without a password. In order to do that you only need to change the username to “root” and leave the password blank. This method might not work straight away but it’s guaranteed to work after several attempts. Further on, the intruder can get access to all data stored on the computer and all functions protected by password by doing the same trick. In particular, by using “root” as username it’s possible to change the list of users and look into keychain where all the passwords are stored.

Apple admitted the existence of the problem and reported that they are working on getting it fixed. In the meanwhile users are advised to protect themselves, fortunately it’s quite easy. All you need to do it create a user called “root” in the “Users & Groups” section of the system settings and set a password. In case the user already exists, change the password to your own.

source:  Technical Center of Internet

Back to the list