There's an embarrassing and dangerous security hole in the latest Mac software (AAPL)
Getty
- There's a bug in the latest version of MacOS that lets anyone log in to change settings with the username "root" and no password.
- Apple hasn't commented yet, but in the meantime, don't let anyone physically use your Mac computer if you're not there until Apple issues a fix.
People are upset with Apple over a nasty security flaw apparently discovered on Tuesday in the latest version of MacOS, called High Sierra.
On an up-to-date Mac, users can apparently gain access to change protected settings in certain circumstances by telling the system their username is "root" and a blank password.
Business Insider was able to replicate the bug on Tuesday. After plugging in "root" as our username and no password, it took two clicks to gain access to Users & Groups settings on a High Sierra system. The bug didn't work on Mac with older software.
Apple didn't immediately respond to a request for comment.
Here are the original tweets that spurred the outrage:
https://twitter.com/mims/statuses/935578694541770752?ref_src=twsrc%5Etfw
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
https://twitter.com/mims/statuses/935581020774117381?ref_src=twsrc%5Etfw
You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs
Lots of people are picking up on the problem, including NSA whistleblower Edward Snowden and other security experts.
https://twitter.com/mims/statuses/935607721830871040?ref_src=twsrc%5Etfw
Imagine a locked door, but if you just keep trying the handle, it says "oh well" and lets you in without a key. https://t.co/KBW4qntMdA
https://twitter.com/mims/statuses/935609246548480000?ref_src=twsrc%5Etfw
Uh, that’s not so good... https://t.co/DqE2KJx3x4
https://twitter.com/mims/statuses/935604931150655488?ref_src=twsrc%5Etfw
You can bypass Apple auth by using "root" and no password. Here's my reproduction of https://t.co/SYSsPjLfpx /facepalm pic.twitter.com/oLa1S3W6Ly
This isn't the first major Apple security bug that's been discovered recently in MacOS. Earlier this year, Macs would apparently give out people's passwords when they clicked for a password hint.
NOW WATCH: What happens when vegetarians eat meat for the first time