fbpx
Open post

Reddit user discloses some major issues with Mac OS root login

Recently, a user on Reddit gave information on a huge Mac OS High Sierra vulnerability. Access to “root” permissions is as easy as an empty password, potentially leaving users extremely vulnerable. If someone has physical access to a Mac OS High Sierra system, they can access personal files and change anything without any admin credentials.

This is a huge vulnerability for Mac users. Developer Lemi Orhan Ergin contacted apple to inform them of the vulnerability. Apple at the time had no update ready for such an issue, however informed of users a way to mitigate the possibility of someone gaining root access.

Disable guest users 

Opening up the system preferences and finding the “Users & Groups” section you can select guest users and uncheck “Allow guests to log into this computer.”

By doing this, no one can log into a guest user account and give them direct access to the root permissions option.

Change root password on Mac OS High Sierra

Another means of mitigating this issue, is by actually assigning a password to the root permissions, so if someone did attempt to enter with an empty password, they would be outright blocked.

  1. Launch systems and preferences
  2. Select users and groups
  3. Login options
  4. Join which is next to the “Network Account Server”
  5. Open Directory Utility
  6. Click the lock icon, and enter your password to gain access
  7. Once inside, in the menu bar of directory utility, select “Change Root Password”

That’s it! Make your own password for the Root access and ensure it is strong to keep it worth this effort!

Apple has informed that they are working on a quick patch, so the problem shouldn’t be relevant for too long, however it is always good to become familiar with this side of your system and learn of it’s layout, in case something in the future pops-up involving the same issue.

Stay safe and hacker free! Give us a call at re2tech and we can beef up your security and help explain your system and it’s workings to you in the process! 

Open post

One Plus, potential for additional disasters

Recently, OnePlus, the phone brand, has been under scrutiny due to a newly discovered security flaw with one of their apps. Their app, also known as OnePlus, leaves the consumer open to attacks because the application was revealed to carry root access for the device.

So what does this mean? It means that your device may be accessed even when locked, using this vulnerability. This access to the root for the device is called “Engineer mode” and was originally made for the purpose of checking the phones functionality before leaving the factory. The issue is, that the application OnePlus also has a backdoor that leads to the root and this functionality. Which means if someone so desired, they could gain access to your phone, despite their being a password lock on it.

A developer who discovered the vulnerability, plans to release an app which exploits this vulnerability and gives OnePlus users an easy root access method.

This exploit still requires ADB, but nonetheless still poses a threat to users. Thus far there has been no action taken, but the CEO of OnePlus said they are “looking into it.” 

 

Scroll to top