UPDATE: Looks like Apple fixed the macOS root security bug with an update just now: https://support.apple.com/en-us/HT208315. Fire up your App Store update engine! If you're interested, read on for a little more background to this story.
In case you missed this story, Apple pulled quite a Windows 95:
A recently discovered bug in macOS High Sierra allows untrusted users with both physical and remote access to gain complete administrative control ("root access") of your Mac without using a password.
Developers at Apple are aware of the security flaw and will likely patch it very soon.
In the meantime, here's a temporary fix: Give Root a Password.
By the looks of it, the root login bug was mentioned on Apple's support forum weeks ago.
A Mac user tip that originated on a November 13th thread in the Apple Developer Forum evolved into quite the shitstorm on Twitter with hashtag #iamroot.
It was initiated by Turkish software developer Lemi Orhan Ergin yesterday night (Amsterdam time):
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?
More from Lemi Orhan Ergin on that story on Medium:
A week ago the infrastructure staff at the company I work for stumbled on the issue while trying to help one of my colleagues recover access to his local admin account. The staff noticed the issue and used the flaw to recover my colleague’s account. On Nov 23, the staff members informed Apple about it. They also searched online and saw the issue mentioned in a few places already, even in Apple Developer Forum from Nov 13. It seemed like the issue had been revealed, but Apple had not noticed yet.
From what I can tell, and this is the part I was most worried about, the latest MacOS High Sierra vulnerability seems to apply to Mac users who are running remote services such as Remote Desktop and VNC as well.
On the "Krebs on Security" blog (see the links at the bottom this article), I’ve seen comments from people who successfully tested SSH remote root access via this bug.
That really stinks.
How to Fix the High Sierra Vulnerability
In the meantime, the best way to protect your Mac against this vulnerability is by ensuring that you’ve set a password for the root account (which should be disabled by default).
Or do the following:
- Go to System Preferences
- Open the Users & Account menu
- Click the padlock at the bottom
- Enter the administrator name and password
- Click Login Options
- Click Join
- Click Open Directory Utility
- Click the padlock at the bottom
- Enter an administrator name and password
- From the menu bar in Directory Utility, choose Edit > Change password
- Enter a password. Make it unique, lengthy and strong
How to Replicate it
This morning, I was able to replicate it on my MacBook Pro running MacOS High Sierra version 10.13.1.
Below are the steps involved, but please take note: make sure you don’t do anything else. Don’t mess around with MacOS system files, or you might need to reinstall your system software. Just log out and log back in as yourself.
Here’s how to replicate it:
- Open System Preferences
- Choose Users & Groups
- Click the lock to make changes
- Type “root” in the username field
- Move your mouse over to the password field and click it
- Leave the password field empty
- Hit Enter or Click Unlock
You now should have root access. Some Mac users have reported it worked after clicking Unlock multiple times.
Article Sources, Further Reading
“Updated to High Sierra, all Admin accounts now Standard”
“Here’s How to Temporarily Fix the macOS High Sierra Bug That Gives Full Admin Access to Your Mac Sans Password”
“Anyone Can Hack MacOS High Sierra Just by Typing Root”
“Why ‘blank’ Gets You Root › Tracking Down the Cause Of a Serious Authentication Flaw”
“MacOS High Sierra Users: Change Root Password Now”