Apple Mistake! You can log into macOS High Sierra as root with NO password

Created on:
October 4, 2018


A simple-to-exploit flaw in macOS High Sierra, aka macOS 10.13, allows users to gain admin rights, or log in as root, without a password.

The security bug is triggered via the authentication dialog box in Apple’s operating system, which prompts you for an administrator’s username and password when you need to do stuff like configure privacy and network settings.

If you type in “root” as the username, leave the password box blank, hit “enter” and then click on unlock a few times, the prompt disappears and, congrats, you now have admin rights. You can do this from the user login screen.

The vulnerability effectively allows someone with physical access to the machine to log in, cause extra mischief, install malware, and so on. You should not leave your vulnerable Mac unattended until you can fix the problem. And while obviously this situation is not the end of the world – it’s certainly far from a remote hole or a disk decryption technique – it’s just really, really sad to see megabucks Apple drop the ball like this.

Developer Lemi Orhan Ergan alerted the world to the flaw via Twitter in the past hour or so:

3h

Lemi Orhan Ergin@lemiorhan

Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?

Lemi Orhan Ergin@lemiorhan

You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use “root” with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs

10:47 AM – Nov 28, 2017

View image on Twitter

It gets worse. You can use this programming blunder to disable FileVault…

But there is a workaround for now. If you have a root account enabled and a password for it set, the above blank password trick will not work. So, keep the account enabled and set a root password right now…

Replying to @lemiorhan and 2 others

Everyone with a Mac needs to set a root password NOW.
As a user with admin access, type the following command from the Terminal.

sudo passwd -u root

Enter your password then a new password for the root user.
Anyone got a better fix?@SwiftOnSecurity @rotophonic@pwnallthethings

12:18 PM – Nov 28, 2017

A spokesperson for Apple was not immediately available for comment. Apparently, it’s due to the operating system accidentally creating a blank root account:

Paul Wagenseil@snd_wagenseil

Replying to @lemiorhan and 2 others

Thanks. We’ve confirmed this on 2 Macs & are writing it up. Procedure creates new Root account, no password, runs root commands w/o sudo.

12:15 PM – Nov 28, 2017

Mike Hanley@mhanley_duo

Replying to @lemiorhan and 2 others

This is not the password-less future we all had in mind.

12:30 PM – Nov 28, 2017

Chalk this up as just the latest embarrassing flaw in Apple’s newest flavor of macOS, the OS formerly known as OS X. In October, fans noted that High Sierra would also do things like disclose the password for encrypted drives, and cough up account credentials to untrusted applications.

Earlier builds of the OS also had a habit of ruining the hard drives in iMacs, and rendering kernel-level security protections effectively useless, thanks to buggy code implementations.

Let’s hope Apple engineers can do a bit better with next year’s release, or we may all be left hoping for that iOS to Mac conversion sooner than later. We’ll update this article as and when new information arrives. The latest High Sierra beta release is not affected, apparently.