And It Just Roots: New MacOS Security Flaw Emerges

Update: Apple has issued a fix for this. –Paul

A major new macOS vulnerability has just been discovered, and it’s also been disclosed publicly…on Twitter. The bug gives anyone unauthorized administration access to a Mac using a very simple trick: logging in as root.

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

When trying to login to a macOS device running High Sierra, you will simply need to use the username “root”, leave the password field empty, and then hit the login button a couple of times to get access to the device. This will only work if you actually try authenticating as “root” from an account that’s already logged in, and then the root user will be enabled on your device, allowing you to login as “root”. The vulnerability affects all latest versions of the operating system, but it only seems to affect devices running macOS High Sierra and can’t be reproduced on older versions of the OS.

Using the same trick, you can add new users (even as admins) to a device, remove other users, reset their passwords, decrypt disks encrypted by FileVault, or change almost every other setting that requires admin access. It’s pretty ridiculous:

Apple has acknowledged the security flaw on macOS, and a software update is now available for the issue:

“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”

Disabling the root user won’t help, by the way. The security flaw isn’t too much of a big deal, though, as one would need physical access to your device in order to get unauthorized administrative access to your device.

Still, flaws like this really undermine the level of security you get from Apple’s premium devices, even though such issues are rarely discovered.

Editor’s note: The article has been updated to include Apple’s statement regarding the issue. The article was initially incorrect about the steps to reproduce the issue, however, we have now updated the article to correct that. 

Tagged with

Share post

Please check our Community Guidelines before commenting

Conversation 53 comments

  • wunderbar

    Premium Member
    28 November, 2017 - 4:54 pm

    <p>This is hilarious, but before anyone goes too far into the "lolol apple" remember that Microsoft OS's have bugs too.</p>

    • nbates66

      28 November, 2017 - 7:59 pm

      <blockquote><a href="#222285"><em>In reply to wunderbar:</em></a></blockquote><p>"Look over there! Nothing to see here!!"</p><p><br></p><p><br></p><p>I'm curious about how serious this one is… Have found various comments that the exploit can be used via remote accesses and at least one case via a terminal.</p>

    • SRLRacing

      28 November, 2017 - 8:33 pm

      <blockquote><a href="#222285"><em>In reply to wunderbar:</em></a></blockquote><p>You are of course correct but if this was Windows the internet would be aflame with "lol Windows sux" so let us sit back, open a bottle of fine craft beer, and type "lol Apple sux" as often as we can to really soak the moment in.</p>

    • warren

      29 November, 2017 - 12:20 am

      <blockquote><a href="#222285"><em>In reply to wunderbar:</em></a></blockquote><p><br></p><p>Yeah, no, you know what, — given all the noxious yammering we've been hearing for years from Apple-heads about IT'S UNIX, IT'S SO MUCH MORE SECURE THAN WINDOWS, I say we spent the next five years throwing this right back at them.</p><p><br></p><p>Over and over and over.</p><p><br></p><p><br></p>

      • hrlngrv

        Premium Member
        29 November, 2017 - 5:19 pm

        <p><a href="#222426"><em>In reply to warren:</em></a></p><p>This doesn't happen in most Linux distributions or BSD versions. Never installed a true Unix system, but I figure the installation script required a nontrivial root password.</p><p>This problem appears limited to Apple. Unlike Linux, Apple's macOS is perfectly happy to login as root when root lacks a password.</p>

    • evox81

      Premium Member
      29 November, 2017 - 9:33 am

      <blockquote><a href="#222285"><em>In reply to wunderbar:</em></a></blockquote><p>It's true, Windows does have security vulnerabilities as well. It's the type of vulnerabilities we've been seeing lately that I find interesting. Most Windows exploits found today are obscure vulnerabilities that are complicated, or at least cumbersome, to exploit. This is type a word, press enter, repeat and you successfully have full root access to the device.</p>

  • PincasX

    28 November, 2017 - 5:22 pm

    <p>That is a pretty big miss on the part of Apple. </p><p><br></p><p>Also this is an inaccurate description of the issue:</p><p>”<span style="color: rgb(0, 0, 0);">When trying to login to a macOS device running High Sierra, you will simply need to use the username “root”, leave the password field empty, and then hit the login button a couple of times to get access to the device.&nbsp;“</span></p><p><br></p><p>People can’t log into the machine as root using this exploit or at least not initially. To get it to work you have to be logged in already and use the exploit to enable the root user (disabled by default) in system preferences. Once you have done that then you can log out and log back in as root without a password. So for so one to use this exploit they would need to have physical accesss to the machine while a user is logged in. </p><p><br></p><p>Still incredibly sloppy on Apple’s part. </p><p><br></p>

    • MikeGalos

      28 November, 2017 - 5:50 pm

      <blockquote><a href="#222295"><em>In reply to PincasX:</em></a></blockquote><p>TechCrunch says Mehedi is correct:</p><p><span style="color: rgb(0, 0, 0); background-color: transparent;">See </span><a style="color: rgb(0, 102, 204); background-color: transparent;" href="https://techcrunch.com/2017/11/28/astonishing-os-x-bug-lets-anyone-log-into-a-high-sierra-machine/&quot; target="_blank">https://techcrunch.com/2017/11/28/astonishing-os-x-bug-lets-anyone-log-into-a-high-sierra-machine/ </a></p><p><br></p>

      • PincasX

        28 November, 2017 - 7:22 pm

        <blockquote><a href="#222315"><em>In reply to MikeGalos:</em></a></blockquote><p>Nope, try reading the article. They go through system preferences like Mehedi does and the person that found it did. This process enables the root user and does so without a password. Just booting the machine and trying doesn’t work as 1. The root user is not enabled and can’t log in 2. MacOS has no option to type in a user by default. Getting that option is done by a user logging in and changing the login screen preferences. </p><p><br></p><p><br></p><p>I’m not saying all of this makes the bug a nonissue, it’s a huge issue. That said, it being a substantial issues doesn’t excuse poor reporting. Given that you completely invent demos of products to promote your conspiracies that last part may be lost on you. </p><p><br></p><p><br></p>

        • MikeGalos

          28 November, 2017 - 7:37 pm

          <blockquote><a href="#222335"><em>In reply to PincasX:</em></a></blockquote><p>Apple disagrees and tells you to enable root access in order to set a password on the root account. You wouldn't need to do that if it didn't work with root disabled.</p>

          • PincasX

            28 November, 2017 - 7:53 pm

            <blockquote><a href="#222339"><em>In reply to MikeGalos:</em></a></blockquote><p>Again, no. Apple acknowleged there is a bug that can compromise a root account that is inactive or was made active with no password. They then explain how to secure the root account so that it won’t be vulnerable to the exploit. </p><p><br></p><p> What you don’t really get is how the exploit works. The exploit allows you to enable the root user with no password but to get to that point you have to already be logged in already. Once it is active you could log in at the log in screen or remotely (in specific cases) as the root user. Apple’s suggestion is that you enable root user and give it a password. That keeps someone else from enabling root and giving a password because it would already be enabled and have a password. </p><p><br></p><p>Again, I know this hard for you but you don’t get to make things up because they are what you would like to believe. </p>

          • Stooks

            28 November, 2017 - 11:00 pm

            <blockquote><a href="#222339"><em>In reply to MikeGalos:</em></a></blockquote><p>Try again you are wrong.</p>

        • Mehedi Hassan

          Premium Member
          29 November, 2017 - 2:22 am

          <blockquote><a href="#222335"><em>In reply to PincasX:</em></a></blockquote><p><br></p><p>You are right. I have updated the story, thanks!</p>

          • James Wilson

            29 November, 2017 - 6:15 am

            <blockquote><a href="#222442"><em>In reply to Mehedi:</em></a></blockquote><p>Just checked and remote connectivity to High Sierra doesn't work using SSH. Seems to be a privilege escalation issue.</p><p><br></p><p>So you have to physically have the mac, be logged in as a non-root user and then you escalate rights to root. Still – pretty bad but I don't think people are going to lose data over this.</p>

    • Stooks

      28 November, 2017 - 10:57 pm

      <blockquote><a href="#222295"><em>In reply to PincasX:</em></a></blockquote><p>You are correct. You CANT change the user name at the login screen, only choose from the list of users.</p>

      • Brazbit

        29 November, 2017 - 10:53 am

        <blockquote><a href="#222387"><em>In reply to Stooks:</em></a></blockquote><p>Of course you can. At the List of Users (login screen) press the down arrow. This will highlight the default choice. Press Option+Enter (Alt+Enter if using a PC keyboard) this will switch it from List of Users to Name and Password. You can now enter the login name for hidden accounts. </p><p><br></p><p>It would be kind of hard to make use of the Root account, for its intended uses, if this ability to switch login modes at the login screen did not exist. </p>

        • Stooks

          29 November, 2017 - 11:32 am

          <blockquote><a href="#222556"><em>In reply to Brazbit:</em></a></blockquote><p>So yes, you can do that (if you know all of that) but if the root user is disabled (default) then you cant use it from the login screen. You will only be able to use the valid/enabled users on the Mac.</p><p><br></p><p>The root user would be a choice if it was enabled via this bug. But to do that you would have to have physical access to a already logged in Mac that has not set a root user password. (most would not have a password).</p><p><br></p><p>A lot of "if's" and requirements. However if you have physical access to a bug free Windows 10 computer that is already logged in via a Admin account you can own it 8 days a week.</p>

  • neumarke

    28 November, 2017 - 5:39 pm

    <p>There are reports of people getting this to work remotely, no physical access required. So, a very big deal.</p><p><br></p>

    • MikeGalos

      28 November, 2017 - 5:52 pm

      <blockquote><a href="#222309"><em>In reply to neumarke:</em></a></blockquote><p>Do you have a reference link?</p><p>I have Macintosh using friends who will be asking what to do and that's a BIG difference in exposure. </p>

    • Stooks

      28 November, 2017 - 11:11 pm

      <blockquote><a href="#222309"><em>In reply to neumarke:</em></a></blockquote><p>BS unless you have proof.</p>

  • rameshthanikodi

    28 November, 2017 - 6:14 pm

    <p>this is extremely embarrassing and with the slow adoption of iOS 11, it seems like it's amatuer hour at Apple's software group.</p>

    • jimchamplin

      Premium Member
      28 November, 2017 - 7:19 pm

      <blockquote><a href="#222325"><em>In reply to FalseAgent:</em></a></blockquote><p>High Sierra is a steaming pile. Worst macOS update in a long time. </p>

      • Stooks

        28 November, 2017 - 11:11 pm

        <blockquote><a href="#222334"><em>In reply to jimchamplin:</em></a></blockquote><p>How so? I have zero issues. I really like the new iCloud features as well, plus the latest Safari block's auto playing of videos is simply priceless. </p>

  • MikeGalos

    28 November, 2017 - 6:25 pm

    <p>Apple is now confirming that this security vulnerabilty exists matching Paul's statement and that the temporary fix is to enable the root account and set a password. </p><p><br></p><p>Here's their statement:</p><p><br></p><p><em style="color: rgb(104, 108, 104); background-color: transparent;">We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: </em><a style="color: rgb(8, 158, 0); background-color: transparent;" href="https://support.apple.com/en-us/HT204012&quot; target="_blank"><em>https://support.apple.com/en-us/HT204012</em></a><em style="color: rgb(104, 108, 104); background-color: transparent;"> . If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.</em></p><p><br></p>

  • jimchamplin

    Premium Member
    28 November, 2017 - 7:32 pm

    <p>I'm not incredibly surprised. High Sierra is garbage. </p>

  • brettscoast

    Premium Member
    28 November, 2017 - 7:40 pm

    <p>Thanks Mehedi for the heads up this really isn't good enough from Apple who constantly rave on about how good their security is on their devices well this is an epic fail and i would have thought there would be some urgency to issue a security patch immediately. By the way welcome to thurrott.com looking forward to more of your articles going forward.</p>

  • Stooks

    28 November, 2017 - 10:55 pm

    <p>Sure this is a bug.</p><p><br></p><p>However this…"<span style="color: rgb(0, 0, 0);">When trying to login to a macOS device running High Sierra, you will simply need to use the username “root”, leave the password field empty, and then hit the login button a couple of times to get access to the device."</span></p><p><br></p><p>You can't change the user name at the login screen. You can only choose from the list of users (usually just one) on the login screen. In the case of having just one user then you are prompted for the password automatically, no ability to choose another user.</p><p><br></p><p>That said if the Mac is logged in then you can use this via the System Preferences panel. So you need a Mac that is logged in and it has to be on the Mac…not from across a network.</p><p><br></p><p>Also Apple has responded.</p><p><br></p><p><em style="color: rgb(4, 20, 39);">"We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section."</em></p><p><br></p><p><br></p><p><br></p><p><br></p>

  • UbelhorJ

    Premium Member
    28 November, 2017 - 11:21 pm

    <p>This reminds me of using the Help dialog to bypass the login screen in Windows 98. Pretty epic levels of fail.</p>

  • dontbe evil

    29 November, 2017 - 7:07 am

    <p>but but mac are secure /s … apple is the best /s … ROTFL</p><p><br></p>

  • seapea

    29 November, 2017 - 10:22 am

    <p>I didn't realize the new macOS was an IoT operating system.</p><p><br></p><p>seriously though, doesn't W10 do the same thing with the builtin Administrator account?</p>

    • Stooks

      29 November, 2017 - 8:42 pm

      <blockquote><a href="#222550"><em>In reply to seapea:</em></a></blockquote><p>Yes it does. </p><p><br></p><p>Walk up to a Windows 10 PC logged in by a user with Administrative privileges and you can create new accounts with admin privileges, take ownership of any files, delete users etc. All of this can be done with no challenges as in prompting to for user/password. This is the default behavior on Windows. </p><p><br></p><p>You can make changes to require a user/pass (UAC cranked way up) and then it acts like Unix/Linux/macOS by requiring a user/pass.</p>

      • seapea

        29 November, 2017 - 11:07 pm

        <blockquote><a href="#222795"><em>In reply to Stooks:</em></a></blockquote><p>Your paragraph starting "Walk up" contradicts the initial sentence of "Yes it does."</p><p>W10 has a built in Admin account, is it accessible by a person? If so, then I don't think the macOS root issue is unique to Apple.</p><p><br></p>

  • Dan1986ist

    Premium Member
    29 November, 2017 - 10:56 am

    <p>If one does a web search, one will find this exact issue was posted in an Apple Developer forum post on the 13th of this month. A full two weeks before this security issue was made known to apple via twitter. </p>

  • Brazbit

    29 November, 2017 - 11:10 am

    <p>"<span style="color: rgb(0, 0, 0);">The security flaw isn’t too much of a big deal, though, as one would need physical access to your device in order to get unauthorized administrative access to your device." </span></p><p><br></p><p><span style="color: rgb(0, 0, 0);">Such as regularly found in schools, libraries, store demo systems, kiosks, hotel lobbies, etc… It may be minor for individuals and irritating in an office setting, but for those with publicly accessible systems, and often little to no dedicated IT staff, it could quickly become a big deal. </span></p>

  • Waethorn

    29 November, 2017 - 11:11 am

    <p>Um, ok.</p><p><br></p><p>So you have to have physical access to a system that's already logged on as an admin in order to do this.</p><p><br></p><p>Microsoft doesn't patch these kinds of problems, labelling them as "low-risk" and would say "don't allow unauthorized users physical access to the computer" as the fix. Why is this getting news just because it's Apple, when it affects such a minor amount of the populace?</p>

  • Stooks

    29 November, 2017 - 11:25 am

    <p><span style="color: rgb(0, 0, 0);">So walk up to any Windows 10 PC logged with a Admin account and you can do ANYTHING you want with the computer, no extra login required. Basically macOS is just like Windows 10….right now.</span></p><p><br></p><p><span style="color: rgb(0, 0, 0);">Once this is fixed and back to normal macOS behavior it will once again be more secure than Windows.</span></p>

    • hrlngrv

      Premium Member
      29 November, 2017 - 3:36 pm

      <p><a href="#222576"><em>In reply to Stooks:</em></a></p><p>Picky: there's a lot the built-in Administrator account can't do in Windows until taking ownership of various files or directories and giving itself full control permission.</p>

      • Stooks

        29 November, 2017 - 8:39 pm

        <blockquote><a href="#222700"><em>In reply to hrlngrv:</em></a></blockquote><p>Is that a serious reply?</p><p><br></p><p>Does taking ownership require you to put in a password on Windows? Nope, so the built in Administrator can simply click apply.</p><p><br></p><p>macOS and Linux would require and admin user/pass to do this. HUGE difference.</p>

        • hrlngrv

          Premium Member
          01 December, 2017 - 4:44 pm

          <p><a href="#222794"><em>In reply to Stooks:</em></a></p><p>Yes, serious reply whether you could appreciate as such or not.</p><p>No, the built-in Administrator account can't just clock away. Taking ownership isn't so easy either. File Explorer tends to miss files in folders, so running <strong>takeown</strong> at the command line is the most robust way to do so. It can be done without entering a password, but it is an extra step.</p>

    • Greg Green

      30 November, 2017 - 9:44 am

      <blockquote><a href="#222576"><em>In reply to Stooks:</em></a></blockquote><p>Not quite. Any logged in account would've allowed you access to root when you have access to the computer. You don't have to be logged in to root to do this, so your admin log in example isn't quite the same.</p>

  • Bob Shutts

    29 November, 2017 - 12:34 pm

    <p>Exploit patched a few hours ago as of this post. Still, not a good thing, Apple. Management has relegated the Mac to the back seat behind the phone, the pad, and the watch.</p>

    • hrlngrv

      Premium Member
      29 November, 2017 - 3:34 pm

      <p><a href="#222615"><em>In reply to Bob_Shutts:</em></a></p><p>From what I've read, this predates the iPhone. Was Apple this blasé about Macs 13 years ago? Seems so.</p>

      • TEAMSWITCHER

        29 November, 2017 - 4:46 pm

        <blockquote><a href="#222698"><em>In reply to hrlngrv:</em></a></blockquote><p>This issue is only present on High Sierra.</p>

        • hrlngrv

          Premium Member
          29 November, 2017 - 5:27 pm

          <p><a href="#222737"><em>In reply to TEAMSWITCHER:</em></a></p><p>OK.</p><p>Worse then since Apple's macOS developers would have to have changed something to introduce this. So Apple's analog to gksu allows logging in as root? Is that necessary? Doesn't macOS provide sudo?</p>

    • Greg Green

      30 November, 2017 - 9:36 am

      <blockquote><a href="#222615"><em>In reply to Bob_Shutts:</em></a></blockquote><p>It's interesting how both MS and Apple seem to be slowly withdrawing from the consumer market, MS overall and Apple with regard to desktops. Even with their Mac Pro Apple is ignoring the individual powere user and building to the corporate power user requirements.</p><p><br></p><p>And neither company seems to be trying to take advantage of the other company's mistakes.</p>

  • markbyrn

    Premium Member
    29 November, 2017 - 12:41 pm

    <p>and today Apple issued an update to fix </p>

  • bls

    Premium Member
    29 November, 2017 - 2:29 pm

    <p>After far too many years and operating systems, it's clear that every OS sucks. They just suck differently.</p>

  • hrlngrv

    Premium Member
    29 November, 2017 - 3:31 pm

    <p>root is root. If you can login in as root, you can do anything the OS can do.</p><p>FWIW, most Linux GUI login systems don't allow logging in as root. Also, out of the box, as it were, one can't log in as root. It's necessary to run <strong>sudo passwd</strong> to set a password for root.</p>

  • TEAMSWITCHER

    29 November, 2017 - 4:38 pm

    <p>If somebody has Physical access to your computer and you are not present to monitor them … face it … you don't have ANY security. </p>

    • Brazbit

      30 November, 2017 - 1:29 pm

      <blockquote><a href="#222726"><em>In reply to TEAMSWITCHER:</em></a></blockquote><p>Right, because libraries, schools and other large-scale multiuser environments have staff monitoring everything every user does at all times. </p>

  • nbplopes

    29 November, 2017 - 6:59 pm

    <p>Yup, bad. Hours later, patched, good.</p>

    • Brazbit

      30 November, 2017 - 1:23 pm

      <blockquote><a href="#222765"><em>In reply to nbplopes:</em></a></blockquote><p>Minutes later, patch further breaks OS. Bad. </p><p>Hours later, terminal commands suggested to mitigate damage, Ok?</p><p>Hours later, patch for the patch, Good.</p><p>The End… Or is it? </p><p><br></p>

      • nbplopes

        01 December, 2017 - 7:56 pm

        <blockquote><a href="#223088"><em>In reply to Brazbit:</em></a></blockquote><p><br></p><p>I just woke up and was patched. </p><p><br></p><p>So honestely do not know the story in between.</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC