San Francisco: Apple has reportedly apologised and rolled out an update to fix a major security flaw in its Mac operating system (OS) that lets anyone log into Mac devices running without a password.
“Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS,” The Telegraph quoted an Apple spokesperson as saying late Wednesday.
The latest version of MacOS will automatically download the update.
Also Read : Apple files patent for foldable iPhone: Report
“When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. The update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra,” the tech giant added.
The security flaw affected all Mac devices running the latest version of High Sierra (at least version 10.13.1 – 17B48), according to TechCrunch.
The vulnerability was discovered by Turkish developer Lemi Orhan, who found that the Mac log-in screen can be cracked simply by entering the word “root” as a username and hitting enter twice, without having to enter a password.
A Day before anyone can hack MacOS high sierra just by typing “ROOT”
There are hackable security flaws in software. And then there are those that don’t even require hacking at all—just a knock on the door, and asking to be let in. Apple’s macOS High Sierra has the second kind.
On Tuesday, security researchers disclosed a bug that allows anyone a blindingly easy method of breaking that operating system’s security protections. When anyone hits a prompt in High Sierra asking for a username and password before logging into a machine with multiple users, installing an application or changing settings, they can simply type “root” as a username, leave the password field blank, click “unlock” twice, and immediately gain full access.
In other words, the bug allows any rogue user that gets the slightest foothold on a target computer to gain the deepest level of access to a computer, known as “root” privileges. Malware designed to exploit the trick could also fully install itself deep within the computer, no password required.
“We always see malware trying to escalate privileges and get root access,” says Patrick Wardle, a security researcher with Synack. “This is best, easiest way ever to get root, and Apple has handed it to them on a silver platter.”
As word of the security vulnerability rippled across Twitter and other social media, a few security researchers found they couldn’t replicate the issue, but others captured and posted video demonstrations of the attack, like Wardle’s GIF below, and another that shows security researcher Amit Serper logging into logged-out account. WIRED also independently confirmed the bug.