Apple’s macOS High Sierra operating system contains an easily exploitable vulnerability that enables the root superuser account without a password, giving attackers full access to all parts of Mac computers.
The issue was made public by software developer Lemi Orhan Ergin, who demonstrated the flaw and reported it to Apple's tech support account.
iTnews was able to replicate the flaw and access a Mac without a password as the root superuser from the main log in screen.
Even when it's not possible to enter a user name at the main macOS login screen, the flaw can be exploited via the system preferences settings.
An attacker can for instance enter root as the username in the users and groups preferences setting, leaving the password field blank, and clicking on the unlock button.
After that, it's possible for an attacker to add new accounts with full administrative rights.
Attackers with root privileges could turn off macOS security features such as FileVault disk encryption, install malware, and copy and delete data.
Security researcher Patrick Wardle noted the flaw can also be exploited remotely if the target macOS system has resource sharing services enabled.
Attempting to log in creates the root account with a blank password, Wardle said. If the root account is disabled, logging in remotely re-enables it.
Despite suggestions that the flaw can be mitigated by disabling the computer's guest account, this will not work - it simply restarts the computer with Safari the only application running.
It is possible to mitigate against the flaw, however, by adding a password for the root user in the users and groups preferences pane.
Users can click on the login options button, then select the join network account server option.
In the dialog that pops up, click on open directory utility, and from the tool's menubar, select the edit item, and then change root password.
Disabling the root account in the open directory utility tool does not work, as the root account becomes re-enabled when entered into the user name field on login.