Hackers now have a new way to easily access your Mac.
A new bug has been discovered in the Mac version of the Google Chrome Remote Desktop app.
It allows hackers to access an admin account on Apple Macs via the Google extension, bypassing the need for a password.
The security flaw was unearthed by Check Point research (CPR).
Google Chrome Remote Desktop allows users to access their desktop via another computer or smartphone.
If the Mac has guest access enabled, then this can provide a back-door to get hold of password-protected information.
CPR’s analyst noticed that by signing in as a guest user, hackers can jump into other sessions, including those started by an administrator account.
For it to work, guest access must be enabled on Mac by the main account holder – the feature is not switched on by default.
A spokesperson for Check Point Research said: ‘To exploit this bug, once a Guest user connects to a remote desktop machine, the machine should have at least one active user in session.
‘In the login screen, a user then clicks on the ‘Guest’ icon and, since a guest does not require a password, the system will proceed.
‘What is expected to happen is that the local user that connects remotely to a macOS machine will receive the desktop of a ‘Guest.
‘But while this is what appears in the remote machine, the local machine (the Chrome extension) receives the desktop of the other active user session, which in this case is an admin on the system, without ever entering the password.’
This security scare follows on from a series of other concerns regarding Macs.
An ’embarrassing’ loophole in MacOS High Sierra was discovered in January that lets anyone with access to a machine bypass password protection.
Using the fault, hackers could disable automatic security updates to take advantage of system vulnerabilities that are regularly patched in the future.
This was the second time in two months that Apple had been hit by password based bugs in High Sierra, with a ‘root user’ flaw discovered in December.
The latest problem was first highlighted via a bug report on the Open Radar developer community website.
Experts said it was limited to the App Store and presents a relatively limited security risk.
Coming after the previous ‘root user’ flaw, as well as the more recent headline hitting Meltdown and Spectre chip issues, the timing is likely to shake consumer confidence.
Writing on his Daring Fireball site, tech blogger John Gruber said: ‘This one is relatively low stakes.
DOES APPLE HAVE A SECURITY PROBLEM?
Recent developments from Apple with the release of the macOS High Sierra update has led to chinks which are exposed to hackers.
A ‘root user’ flaw wad discovered in December.
The flaw meant anyone can log in to a computer running MacOS High Sierra without a password via system preferences, using the root user account.
Apple previously advised its customers who may be affected to set a password for the device’s root user, which should stop people exploiting the vulnerability.
Apple released an update the following day to resolve this weakness.
The next glitch occurred in January, when it was revealed that a simple hack could allow acess to protected information without the need for a password.
It worked as followed:
1) Log in to your Mac as a local admin
2) Open the App Store preference pane from System Preferences
3) Lock the padlock if it is already unlocked
4) Click the lock to unlock it
5) Enter any bogus password
6) The system will grant you access
Experts claim it is limited to the App Store and presents a relatively limited security risk.
Also in January 2018, it was revealed that all Intel and ARM chips are exposed to hackers.
Macs, iPhones, iPads and Apple TV all hit by the weakness according to Apple and it threatened to give cyber criminals access to passwords and other private data.
The latest security breach uses Google Remote Desktop Connection to access an admin account.
This lets hackers access the guest user account through the remote access portal and then jump across to another active account.
This can include the admin account, but the bug does not require a password.
The bug comes hot on the heels of a previous ‘root user’ password flaw discovered in December. Apple has reportedly already fixed the latest bug in beta versions of the next macOS High Sierra update, which will be rolled out to the public in the coming weeks
‘These settings are unlocked by default for admin users, entering a bogus password only works if you’re logged in as an admin user and the settings in this panel aren’t particularly sensitive.
‘It’s apparently already fixed in the current High Sierra developer betas.
‘But, still, this is embarrassing given what we just went through with the very serious root-access-with-no-password bug.’
Apple fixed the bug in beta versions of the next macOS High Sierra update, which was rolled out to the public in January.
Anyone hoping to recreate the bug on their own Mac should log in as a local admin, then open the App Store preference pane from System Preferences.
You will then need to lock the padlock if it is already unlocked, and then click on it again to unlock it.
Enter any bogus password you like and the system will grant you access.
Apple pledged to review its software development process in early December 2017, after a researcher discovered a bug that could give hackers total control of vulnerable machines.
‘We greatly regret this error and we apologize to all Mac users,’ Apple said in a statement at the time.
‘Our customers deserve better. We are auditing our development processes to help prevent this from happening again.’
To exploit the bug, a hacker would need to have physical access to a vulnerable Mac when a user is logged on to the computer.
The attacker would then need to change settings on the computer to establish a ‘root’ account, which they could later access.
Root accounts give users complete control over a machine.
‘Security is a top priority for every Apple product, and regrettably we stumbled with this release of Mac OS,’ Apple said in its statement.
Apple confirmed that almost all of its devices are affected by Intel and Arm chip ‘design flaws’ that could expose billions of people’s personal data to cyber criminals.
The flaws leave the devices open to the devastating ‘Meltdown’ and ‘Spectre’ bugs, discovered by security researchers.
The tech company warned its customers to only download software for its platforms from trusted sources, like the App Store.
Meltdown is a flaw that affects laptops, desktop computers and internet servers with Intel chips.
It lets hackers bypass the hardware barrier between applications run by users and the computer’s kernel memory.
This has the potential to let hackers access the content of this portion of a computer’s memory.
This would enable them to steal data, such as passwords saved in web browsers.
Spectre affects chips from Intel, AMD and ARM and lets hackers potentially trick otherwise error-free applications into giving up secret information.
‘Spectre’ affects chips in smartphones and tablets, as well as computer chips from Intel and Advanced Micro Devices Inc.