MacOS High Sierra bug: blank password let anyone take control of a Mac

Reading Time: 1 minute

The Guardian – November 30, 2017

IMPACT: discovered a couple of weeks ago and disclosed in an Apple developer support forum… allow[s] anyone to access locked settings on a Mac using the user name “root” and no password, and subsequently unlock the computer

IMPACT: embarrassing for the company and dangerous, allowing anyone with physical access – and in some instances remote access – to a Mac computer to gain full access to user data

ROOT CAUSE (non official): Some bug in authentication is ENABLING root with no password the first time it fails

COMPANY RESPONSE: Experts also warn against trying out the bug for yourself, as once enabled the flaw can then be more easily exploited even on a locked Mac.

COMPANY RESPONSE: We greatly regret this error and we apologise… We are auditing our development processes to help prevent this from happening again