Apple's Beats brand in April unveiled the Powerbeats Pro, a redesigned wire-free version of its popular fitness-oriented Powerbeats earbuds.
Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated]
There appears to be a serious bug in macOS High Sierra that enables the root superuser on a Mac with a blank password and no security check.
The bug, discovered by developer Lemi Ergin, lets anyone log into an admin account using the username "root" with no password. This works when attempting to access an administrator's account on an unlocked Mac, and it also provides access at the login screen of a locked Mac.
To replicate, follow these steps from any kind of Mac account, admin or guest:
1. Open System Preferences
2. Choose Users & Groups
3. Click the lock to make changes
4. Type "root" in the username field
5. Move the mouse to the Password field and click there, but leave it blank
6. Click unlock, and it should allow you full access to add a new administrator account.
At the login screen, you can also use the root trick to gain access to a Mac after the feature has been enabled in System Preferences. At the login screen, click "Other," and then enter "root" again with no password.
This allows for admin-level access directly from the locked login screen, with the account able to see everything on the computer.
It appears that this bug is present in the current version of macOS High Sierra, 10.13.1, and the macOS 10.13.2 beta that is in testing at the moment. It's not clear how such a significant bug got past Apple, but it's likely this is something that the company will immediately address.
Until the issue is fixed, you can enable a root account with a password to prevent the bug from working. We have a full how to with a complete rundown on the steps available here.
Update: An Apple spokesperson told MacRumors that a fix is in the works:
In a statement provided to MacRumors, Apple said the company's engineers began working on a fix as soon as the problem was discovered. Apple also apologized for the vulnerability and said its development process is being audited to prevent something similar from happening in the future.
The bug, discovered by developer Lemi Ergin, lets anyone log into an admin account using the username "root" with no password. This works when attempting to access an administrator's account on an unlocked Mac, and it also provides access at the login screen of a locked Mac.
To replicate, follow these steps from any kind of Mac account, admin or guest:
1. Open System Preferences
2. Choose Users & Groups
3. Click the lock to make changes
4. Type "root" in the username field
5. Move the mouse to the Password field and click there, but leave it blank
6. Click unlock, and it should allow you full access to add a new administrator account.
At the login screen, you can also use the root trick to gain access to a Mac after the feature has been enabled in System Preferences. At the login screen, click "Other," and then enter "root" again with no password.
This allows for admin-level access directly from the locked login screen, with the account able to see everything on the computer.
It appears that this bug is present in the current version of macOS High Sierra, 10.13.1, and the macOS 10.13.2 beta that is in testing at the moment. It's not clear how such a significant bug got past Apple, but it's likely this is something that the company will immediately address.
Until the issue is fixed, you can enable a root account with a password to prevent the bug from working. We have a full how to with a complete rundown on the steps available here.
Update: An Apple spokesperson told MacRumors that a fix is in the works:
"We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section."Update 2: Apple released a security update to address the vulnerability on Wednesday morning. The update can be downloaded on all machines running macOS 10.3.1 using the Software Update mechanism in the Mac App Store. Apple says it will automatically push out the update to all users who have not installed it later in the day.
In a statement provided to MacRumors, Apple said the company's engineers began working on a fix as soon as the problem was discovered. Apple also apologized for the vulnerability and said its development process is being audited to prevent something similar from happening in the future.
Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.All users should download the new security update immediately.
When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.
[ 684 comments ]
Top Rated Comments
(View all)
21 months ago
PUll it together Craig. You’re embarrassing yourself and Apple with iOS 11 and now this? What a shame.
21 months ago
10 years ago I started buying Apple products to avoid this kind of bugs.
Funny how things change :)
EDIT one day later :
Apple pushed an update with a fix under 24 hours, this is why i'm still using Apple products :)
Funny how things change :)
EDIT one day later :
Apple pushed an update with a fix under 24 hours, this is why i'm still using Apple products :)
21 months ago
We need an "Even Higher Sierra" release, and only that, this coming year.
High Sierra is just stoned enough that she's letting everyone in...
Maybe if Sierra gets a bit higher, paranoia, and security concerns, might kick in.
High Sierra is just stoned enough that she's letting everyone in...
Maybe if Sierra gets a bit higher, paranoia, and security concerns, might kick in.
21 months ago
The QA department must still be transitioning to Apple Park. I'm sure once everyone is settled in, attention to detail can resume.
21 months ago
You're telling me people leaving their computers unlocked and highly insecure and logged in is an issue?! No way!!!!
Did you read the article? This works at the LOGIN screen as well. I have confirmed that I can log out of my own account and log in to the PC as the user ROOT with no password.
Accept this is a MAJOR security hole. Root access to ANY computer is potentially fatal to the computer.
[ Read All Comments ]
Apple today seeded the first beta of an upcoming tvOS 13 software update to its public beta testing group, giving non-developers a chance to try out the new software ahead of its fall public release....
Apple today seeded the fifth beta of an upcoming iOS 12.4 update to developers, two weeks after seeding the fourth iOS 12.4 beta, and over a month after releasing iOS 12.3, a major update that...
Apple today seeded the third beta of an upcoming macOS Mojave 10.14.6 update to developers, two weeks after seeding the second macOS Mojave 10.14.6 beta and more than a month after the release of...
Apple today seeded the fourth beta of an upcoming watchOS 5.3 update to developers, two weeks after releasing the third watchOS 5.3 beta and a month after the launch of watchOS 5.2.1, an update that...
B&H Photo is further discounting a set of previous generation iMacs, providing the lowest ever price for the 21.5-inch model with 8GB RAM and a 1TB Fusion Drive. You can get this model for...
Microsoft plans to launch a small foldable Surface tablet in the first half of 2020, according to Jeff Lin, an analyst at research firm IHS Markit.
Microsoft Surface Go
In an email shared...
Augmented reality game Harry Potter: Wizards Unite got a surprise early release last week in the U.S. and the U.K., and Niantic has now rolled the game out to a global audience.
Early Sunday...
For this week's giveaway, we've teamed up with Tap to give MacRumors readers a chance to win one of the company's wearable keyboards, which Tap believes is the keyboard of the future.
...
