Update: Apple has issued a fix for this. –Paul
A major new macOS vulnerability has just been discovered, and it’s also been disclosed publicly…on Twitter. The bug gives anyone unauthorized administration access to a Mac using a very simple trick: logging in as root.
Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!
"*" indicates required fields
When trying to login to a macOS device running High Sierra, you will simply need to use the username “root”, leave the password field empty, and then hit the login button a couple of times to get access to the device. This will only work if you actually try authenticating as “root” from an account that’s already logged in, and then the root user will be enabled on your device, allowing you to login as “root”. The vulnerability affects all latest versions of the operating system, but it only seems to affect devices running macOS High Sierra and can’t be reproduced on older versions of the OS.
Using the same trick, you can add new users (even as admins) to a device, remove other users, reset their passwords, decrypt disks encrypted by FileVault, or change almost every other setting that requires admin access. It’s pretty ridiculous:
Apple has acknowledged the security flaw on macOS, and a software update is now available for the issue:
“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”
Disabling the root user won’t help, by the way. The security flaw isn’t too much of a big deal, though, as one would need physical access to your device in order to get unauthorized administrative access to your device.
Still, flaws like this really undermine the level of security you get from Apple’s premium devices, even though such issues are rarely discovered.
Editor’s note: The article has been updated to include Apple’s statement regarding the issue. The article was initially incorrect about the steps to reproduce the issue, however, we have now updated the article to correct that.
Stooks
<blockquote><a href="#222339"><em>In reply to MikeGalos:</em></a></blockquote><p>Try again you are wrong.</p>
Stooks
<blockquote><a href="#222295"><em>In reply to PincasX:</em></a></blockquote><p>You are correct. You CANT change the user name at the login screen, only choose from the list of users.</p>
Stooks
<blockquote><a href="#222556"><em>In reply to Brazbit:</em></a></blockquote><p>So yes, you can do that (if you know all of that) but if the root user is disabled (default) then you cant use it from the login screen. You will only be able to use the valid/enabled users on the Mac.</p><p><br></p><p>The root user would be a choice if it was enabled via this bug. But to do that you would have to have physical access to a already logged in Mac that has not set a root user password. (most would not have a password).</p><p><br></p><p>A lot of "if's" and requirements. However if you have physical access to a bug free Windows 10 computer that is already logged in via a Admin account you can own it 8 days a week.</p>
Stooks
<blockquote><a href="#222309"><em>In reply to neumarke:</em></a></blockquote><p>BS unless you have proof.</p>
Stooks
<blockquote><a href="#222334"><em>In reply to jimchamplin:</em></a></blockquote><p>How so? I have zero issues. I really like the new iCloud features as well, plus the latest Safari block's auto playing of videos is simply priceless. </p>
Stooks
<p>Sure this is a bug.</p><p><br></p><p>However this…"<span style="color: rgb(0, 0, 0);">When trying to login to a macOS device running High Sierra, you will simply need to use the username “root”, leave the password field empty, and then hit the login button a couple of times to get access to the device."</span></p><p><br></p><p>You can't change the user name at the login screen. You can only choose from the list of users (usually just one) on the login screen. In the case of having just one user then you are prompted for the password automatically, no ability to choose another user.</p><p><br></p><p>That said if the Mac is logged in then you can use this via the System Preferences panel. So you need a Mac that is logged in and it has to be on the Mac…not from across a network.</p><p><br></p><p>Also Apple has responded.</p><p><br></p><p><em style="color: rgb(4, 20, 39);">"We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section."</em></p><p><br></p><p><br></p><p><br></p><p><br></p>
dontbe evil
<p>but but mac are secure /s … apple is the best /s … ROTFL</p><p><br></p>
seapea
<p>I didn't realize the new macOS was an IoT operating system.</p><p><br></p><p>seriously though, doesn't W10 do the same thing with the builtin Administrator account?</p>
Stooks
<blockquote><a href="#222550"><em>In reply to seapea:</em></a></blockquote><p>Yes it does. </p><p><br></p><p>Walk up to a Windows 10 PC logged in by a user with Administrative privileges and you can create new accounts with admin privileges, take ownership of any files, delete users etc. All of this can be done with no challenges as in prompting to for user/password. This is the default behavior on Windows. </p><p><br></p><p>You can make changes to require a user/pass (UAC cranked way up) and then it acts like Unix/Linux/macOS by requiring a user/pass.</p>
seapea
<blockquote><a href="#222795"><em>In reply to Stooks:</em></a></blockquote><p>Your paragraph starting "Walk up" contradicts the initial sentence of "Yes it does."</p><p>W10 has a built in Admin account, is it accessible by a person? If so, then I don't think the macOS root issue is unique to Apple.</p><p><br></p>
Stooks
<p><span style="color: rgb(0, 0, 0);">So walk up to any Windows 10 PC logged with a Admin account and you can do ANYTHING you want with the computer, no extra login required. Basically macOS is just like Windows 10….right now.</span></p><p><br></p><p><span style="color: rgb(0, 0, 0);">Once this is fixed and back to normal macOS behavior it will once again be more secure than Windows.</span></p>
Stooks
<blockquote><a href="#222700"><em>In reply to hrlngrv:</em></a></blockquote><p>Is that a serious reply?</p><p><br></p><p>Does taking ownership require you to put in a password on Windows? Nope, so the built in Administrator can simply click apply.</p><p><br></p><p>macOS and Linux would require and admin user/pass to do this. HUGE difference.</p>