Lemi Orhan Ergin, a Turkish software developer tweeted Apple to say he had discovered a flaw in its new operating system that allowed anyone could log in to a computer running MacOS High Sierra without a password.
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) 28 November 2017
Image Credit: Apple
However, Mr Ergin faced a backlash of criticism for apparently not following strict disclosure guidelines typically used by security professionals. The guidelines instruct security experts to alert companies of flaws in their products, giving them a reasonable amount of time to fix the issue, before going public with the claims.
A root user has access to more than a regular mac user, they have the ability to read and write files on other accounts on the same machine. This ‘super’ user has the potential to delete crucial system files, rendering the computer useless – or install malware that typical security software would find hard to detect.
This major issue needs to be dealt with swiftly by Apple as it now must scramble to put in a correction before the vulnerability can be exploited by criminals.
Image Credit: GETTY
Apple has said in a statement: “We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”
According to Prof Alan Woodward from the University of Surrey Cyber Security Centre, “Haste and security don’t make good bedfellows… They will need to be careful the patch doesn’t introduce some other problem as they’ve not had time to properly test it.”
