Hackers now have a new way to easily access your Mac.
A new bug has been discovered in the Mac version of the Google Chrome Remote Desktop app.
It allows hackers to access an admin account on Apple Macs via the Google extension, bypassing the need for a password.
The security flaw was unearthed by Check Point research (CPR).
Google Chrome Remote Desktop allows users to access their desktop via another computer or smartphone.
If the Mac has guest access enabled, then this can provide a back-door to get hold of password-protected information.
CPR’s analyst noticed that by signing in as a guest user, hackers can jump into other sessions, including those started by an administrator account.
For it to work, guest access must be enabled on Mac by the main account holder – the feature is not switched on by default.
A spokesperson for Check Point Research said: ‘’To exploit this bug, once a Guest user connects to a remote desktop machine, the machine should have at least one active user in session.
‘’In the login screen, a user then clicks on the ‘Guest’ icon and, since a guest does not require a password, the system will proceed.
‘’What is expected to happen is that the local user that connects remotely to a macOS machine will receive the desktop of a ‘Guest.
‘’But while this is what appears in the remote machine, the local machine (the Chrome extension) receives the desktop of the other active user session, which in this case is an admin on the system, without ever entering the password.’’
An ‘embarrassing’ loophole in MacOS High Sierra was discovered in January that lets anyone with access to a machine bypass password protection.
Using the fault, hackers could disable automatic security updates to take advantage of system vulnerabilities that are regularly patched in the future.
This was the second time in two months that Apple had been hit by password based bugs in High Sierra, with a ‘root user’ flaw discovered in December.
The latest problem was first highlighted via a bug report on the Open Radar developer community website.
Experts said it was limited to the App Store and presents a relatively limited security risk.