Update: Apple has issued a fix for this. –Paul
A major new macOS vulnerability has just been discovered, and it’s also been disclosed publicly…on Twitter. The bug gives anyone unauthorized administration access to a Mac using a very simple trick: logging in as root.
When trying to login to a macOS device running High Sierra, you will simply need to use the username “root”, leave the password field empty, and then hit the login button a couple of times to get access to the device. This will only work if you actually try authenticating as “root” from an account that’s already logged in, and then the root user will be enabled on your device, allowing you to login as “root”. The vulnerability affects all latest versions of the operating system, but it only seems to affect devices running macOS High Sierra and can’t be reproduced on older versions of the OS.
Using the same trick, you can add new users (even as admins) to a device, remove other users, reset their passwords, decrypt disks encrypted by FileVault, or change almost every other setting that requires admin access. It’s pretty ridiculous:
Apple has acknowledged the security flaw on macOS, and a software update is now available for the issue:
“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”
Disabling the root user won’t help, by the way. The security flaw isn’t too much of a big deal, though, as one would need physical access to your device in order to get unauthorized administrative access to your device.
Still, flaws like this really undermine the level of security you get from Apple’s premium devices, even though such issues are rarely discovered.
Editor’s note: The article has been updated to include Apple’s statement regarding the issue. The article was initially incorrect about the steps to reproduce the issue, however, we have now updated the article to correct that.