Apple Patches MacOS High Sierra Login Vulnerability
“Is Apple getting sloppy?”
That was the headline of a BBC article published on Wednesday, November 29th, 2017, reporting the discovery of a major security issue in Apple’s MacOS High Sierra operating system. It seems that a bug within the OS made it possible for anyone to access a High Sierra computer by exploiting a simple login loophole.
Usually, when you login as a user on a Mac, you must enter your username and password. On machines running High Sierra, though, it was possible to enter “root” as the username, leave the password field blank, and then click the login button several times in succession. This process allowed someone to access a Mac computer running High Sierra—even if they didn’t have an actual username or password – and worse yet, as root!
The vulnerability garnered global attention on Tuesday, November 28th, when software developer Lemi Orhan Ergin tweeted a message to Apple Support to report the problem. Apple quickly responded to Ergin’s tweet and set to work developing a patch to fix the issue.
Apple has now released an update meant specifically to eliminate the “root” username exploit from working in the future. The update was available for download as of Wednesday morning. Apple said that the update would install automatically on any Mac running macOS High Sierra 10.13.1, so there should be no need for most users to download and install the update manually.
In a statement to the site MacRumors, Apple expressed remorse for the vulnerability. “Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS,” the statement read. Apple also apologized to users and noted that “Our customers deserve better.” The company is currently auditing its software development processes to find out what went wrong and ensure that similar issues do not affect future OS releases.
Mac High Sierra was initially released to the public on September 25th of this year. This “root” username bug, it seems, existed in the operating system for two months, but no one knew about it. So far, there have been no reports of anyone exploiting the vulnerability for malicious purposes. Apple said it was not aware of the vulnerability until Tuesday when Ergin sent out his tweet.
Users of previous Mac operating systems—including High Sierra predecessor MacOS Sierra—needn’t worry about the issue. The bug affected only machines running the High Sierra OS.