THE COMPUTER HEALER L.L.C OKEMOS, LANSING,MICHIGAN
  • Home
  • Business
  • Residential
  • Costumer Reviews
  • Data Recovery
  • Tips Blog
  • Android / Apple Devices Support
  • Flat-Rate / Rate list
  • Conference Calls
    • Cisco Webex
    • ConferenceCall
    • Uber Conference call
  • Virtual emulators
    • Virtual desktops
    • linksys GUIs
    • Dlink emulators
    • Netgear emulator
    • Trendnet emulators
  • Disclaimer
  • Contact Us
  • SBS 2011 Demo

Huge security flaw lets anyone log into a High Sierra Mac

11/28/2017

4 Comments

 
Picture
Wow, this is a bad one. On Macs running the latest version of High Sierra — 10.13.1 (17B48) — it appears that anyone can log in just by putting “root” in the user name field. This is a huge, huge problem. Apple will fix it probably within hours but holy moly. Do not leave your Mac unattended until this is resolved.
The bug is most easily accessed by going to Preferences and then entering one of the panels that has a lock in the lower left-hand corner. Normally you’d click that to enter your user name and password, which are required to change important settings like those in Security & Privacy.
No need to do that any more! Just enter “root” instead of your user name and hit enter. After a few tries, it should log right in. There’s no need to do this yourself to verify it. Doing so creates a “root” account that others may be able to take advantage of if you don’t disable it.


The bug appears to have been first noticed by Lemi Orhan Ergin, founder of Software Craftsman Turkey, who noted it publicly on Twitter.
Needless to say, this is incredibly, incredibly bad. Once you log in, you’ve essentially authenticated yourself as the owner of the computer. You can add administrators, change critical settings, lock out the current owner, and so on. Do not leave your Mac unattended until this is resolved.
So far this has worked on every preference panel we’ve tried, and when I used “root” at the login screen it immediately created and pulled up a new user with system administrator privileges. It didn’t work on a 10.13 (17A365) machine, but that one is also loaded up with Aol bloatware — sorry, Oath bloatware — which may affect things.
A potential fix is to log into the “root” account and change its password to… well, anything. But the safest thing is to not expose your device to any unfamiliar environments until the bug is fixed.
We’ve asked Apple for comment, but I’m guessing they’re pretty busy. We hope they have a fix soon because no one should leave their Mac unattended until this is resolved.
4 Comments
TCH
11/28/2017 04:18:13 pm

Just change the root password in Terminal
sudo su -
passwd
select new password
secure

Reply
TCH
11/28/2017 04:21:10 pm

https://twitter.com/AppleSupport/status/935585238792712192

Reply
TCH
11/28/2017 10:57:54 pm

Here's How to Temporarily Fix the macOS High Sierra Bug That Gives Full Admin Access to Your Mac Sans Password

Tuesday November 28, 2017 1:14 PM PST by Juli Clover
A newly discovered bug in macOS High Sierra enables the root superuser on a Mac with a blank password and no security check, essentially giving anyone full access to your Mac.

Apple is likely already working on a fix, but in the meantime, there's a temporary workaround -- enabling the root user with a password. Here's how:
Open System Preferences.
Choose Users & Groups.
Click on the lock to make changes.
Enter your administrator name and password.
Click on "Login Options."
Choose "Join" at the bottom of the window.
Select "Open Directory Utility."
Click on the lock to make changes and enter your username and password.
At the top of the menu bar, choose "Edit."
Select "Enable Root User."

From there, you can enter a password for the root user account, which prevents it from being accessed with a blank password, which is what the current bug allows to happen.


Disabling the root user account again follows the same steps, but at the "Edit" portion of the process, you'll select "Disable Root User" to remove the option. Until the bug is fixed, though, you'll want to leave the root user account intact to prevent it from being accessed without a password.

To further protect your Mac, you can also disable guest accounts, though this is not a necessary step with a root password enabled. Guest accounts can be disabled by going to System Preferences > Users & Groups and choosing "Guest User" after entering your admin password. Disable "Allow guests to log in to this computer."

Reply
TCH
11/29/2017 07:25:08 am

https://youtu.be/vaCAs3jrY64

Reply



Leave a Reply.

    Archives

    May 2021
    April 2021
    November 2020
    July 2020
    June 2020
    April 2020
    January 2019
    November 2018
    June 2018
    May 2018
    April 2018
    March 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    July 2017
    June 2017
    May 2017
    March 2017
    February 2017
    August 2014
    September 2012
    November 2011
    November 2010
    June 2010
    May 2010

    RSS Feed

    Legal Disclaimer:

    Thecomputerheale.com makes no claims about the efficacy of the information contained in the documents and related graphics published on this website for any purpose. All information, documents and graphics are provided "as is" without any kind of guarantee of effectiveness. Thecomputerhealer.com  hereby disclaims all responsibility for the manner in which the information offered on this website is used by you.

    In no event shall Thecomputerhealeronline.com be liable for any special, indirect or consequential damages or any damages whatsoever resulting from the loss of use, data or profits arising out of or in connection with the use or performance of information available from this website.

    The documents and related graphics published on this website may include technical inaccuracies or typographical errors. Changes are periodically added to the information on this website. Thecomputerhealer.com  reserves the right, at its discretion, to change or modify all or any part of this agreement and the content on website at any time, effective immediately upon publication of this notice.

    Your continued use of this website constitutes your binding acceptance of these terms and conditions, including any changes or modifications made by Thecomputerhealer.com as permitted above. If, at any time, the terms and conditions of this agreement are no longer acceptable to you, you should immediately cease using this website.
© 2021  The Computer Healer L.L.C     Call : 1-248-716-0788      for Onsite Certified Techs
  • Home
  • Business
  • Residential
  • Costumer Reviews
  • Data Recovery
  • Tips Blog
  • Android / Apple Devices Support
  • Flat-Rate / Rate list
  • Conference Calls
    • Cisco Webex
    • ConferenceCall
    • Uber Conference call
  • Virtual emulators
    • Virtual desktops
    • linksys GUIs
    • Dlink emulators
    • Netgear emulator
    • Trendnet emulators
  • Disclaimer
  • Contact Us
  • SBS 2011 Demo