Astonishing OS X bug lets anyone log into a High Sierra machine

Wow, this is a bad one. On Macs running the latest version of High Sierra (10.13.1 (17B48)), it appears that anyone can log in just by putting “root” in the user name field in a certain place. This is a huge, huge problem. Apple will fix it probably within hours but holy moly. Do not leave your Mac unattended until this is resolved.

You can test it out for yourself. Just go to Preferences and then enter one of the panels that has a lock in the lower left-hand corner. Normally you’d click that to enter your user name and password, which are required to change important settings like those in Security & Privacy.

No need to do that any more! Just enter “root” instead of your user name and hit enter. After a few tries, it should log right in.

Needless to say, this is incredibly, incredibly bad. Once you log in, you’ve essentially authenticated yourself as the owner of the computer. You can add administrators, change critical settings, lock out the current owner, and so on. Do not leave your Mac unattended until this is resolved.

So far this has worked on every preference panel we’ve tried, and we’re looking into whether it works reliably on logins, other dialogs, and so on. It didn’t work on a 10.13 (17A365) machine, but that one is also loaded up with Aol bloatware — sorry, Oath bloatware — which may affect things.

We’ve asked Apple for comment, but I’m guessing they’re pretty busy. We hope they have a fix soon because no one should leave their Mac unattended until this is resolved.

Published at Tue, 28 Nov 2017 20:32:25 +0000