ByPass Login On MacOS High Sierra Without Password- Major Security Bug


A critical bug has been discovered in macOS High Sierra that lets an attacker log in as 'root' by leaving the password field blank and trying multiple times in a row.

ByPass Login On MacOS High Sierra Without Password- Major Security Bug

The security bug is triggered via the authentication dialog box in Apple's operating system, The "root" account allows super-user access to your system. It's supposed to be disabled by default on macOS. For whatever reason, it's not on High Sierra. Instead, "root" is enabled and currently allows access to anyone without a password.

ByPass Login On MacOS High Sierra Without Password- Major Security Bug

If you type in "root" as the username, leave the password box blank, hit "enter" and then click on unlock a few times, the prompt disappears and, congrats, you now have admin rights. You can do this from the user login screen.





Users who haven’t disabled guest user account access or changed their root passwords (likely most) are currently open to this vulnerability. We’ve included instructions on how to protect yourself in the meantime until an official fix from Apple is released.
ByPass Login On MacOS High Sierra Without Password- Major Security Bug

Disabling guest user on macOS High Sierra

Step 1 | Launch System Preferences
Step 2 | Select Users & Groups
Step 3 | Select Guest User
Step 4 | Uncheck Allow guests to log in to this computer

Setting a password for 'root' fixes the problem : 

Step 1 | Launch System Preferences
Step 2 | Select Users & Groups
Step 3 | Select Login Options
Step 4 | Select Join next to Network Account Server
Step 5 | Select Open Directory Utility
Step 6 | Click the lock and enter your password to make changes
Step 7 | In the menu bar of Directory Utility, select Change Root Password
Step 8 | Create a strong, unique password

 

No comments

Powered by Blogger.