Login bug leaves big hole in Apple Mac computer security

PUBLISHED : Wednesday, 29 November, 2017, 4:59pm
UPDATED : Wednesday, 29 November, 2017, 9:51pm

Apple is preparing a fix for a bug that can let an intruder infiltrate Macs running the latest version of the operating system software, MacOS High Sierra.

The bug, made public on Twitter on Tuesday by Turkish software developer Lemi Orhan Ergin, revealed that anyone can log into a Mac or adjust settings on the computer by entering the login name “root” and clicking enter, no password needed.

The person would need physical access to the computer as the login cannot be done remotely.

USA TODAY confirmed the vulnerability on a late 2013 MacBook Pro running MacOS 10.13.1 and a late 2015 iMac running the same software. The bug unlocks the safeguards that prevent changes in “System Preferences” on the machine as well letting someone log into the Mac from the lock screen by simply going to the “other user” tab.

Apple said the fix would come in a future software update. In the meantime, the company recommends users follow steps outlined on its support page to disable root user access.

“We are working on a software update to address this issue,” the company said in a statement provided to USA TODAY. “In the meantime, setting a root password prevents unauthorised access to your Mac. Instructions on how to enable the root user and set a password are on Apple ... If a root user is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘change the root password’ section.”

In following Apple’s steps, USA TODAY was able to disable the “root user” access.

Apple did not immediately respond to a question as to when users might expect to see a software update.

The latest bug poses plenty of risks. By giving anyone administrator access, they would have unfiltered access to files as well as the ability to delete data, change your password or even lock users out of the computer. The security flaw also would allow someone to make changes remotely as long as they were connected to the vulnerable computer.