A serious, yet stupid vulnerability has been discovered in macOS High Sierra that allows untrusted users to quickly gain unfettered administrative (or root) control on your Mac without any password or security check, potentially leaving your data at risk.
Discovered by developer Lemi Orhan Ergin on Tuesday, the vulnerability only requires anyone with physical access to the target macOS machine to enter "root" into the username field, leave the password blank, and hit the Enter a few times—and Voila!
In simple words, the flaw allows an unauthorized user that gets physical access on a target computer to immediately gain the highest level of access to the computer, known as "root," without actually typing any password.
Needless to say, this blindingly easy Mac exploit really scary stuff.
This vulnerability is similar to one Apple patched last month, which affected encrypted volumes using APFS wherein the password hint section was showing the actual password of the user in the plain text.
Here's How to Login as Root User Without a Password
If you own a Mac and want to try this exploit, follow these steps from admin or guest account:
- Open System Preferences on the machine.
- Select Users & Groups.
- Click the lock icon to make changes.
- Enter "root" in the username field of a login window.
- Move the cursor into the Password field and hit enter button there few times, leaving it blank.
With that (after a few tries in some cases) macOS High Sierra logs the unauthorized user in with root privileges, allowing the user to access your Mac as a "superuser" with permission to read and write to system files, including those in other macOS accounts as well.
This flaw can be exploited in several ways, depending on the setup of the targeted Mac. With full-disk encryption disabled, a rogue user can turn on a Mac that's entirely powered down and log in as root by doing the same trick.
At Mac's login screen, an untrusted user can also use the root trick to gain access to a Mac that has FileVault turned on to make unauthorized changes to the Mac System Preferences, like disabling FileVault.
All the untrusted user needs to do is click "Other" at the login screen, and then enter "root" again with no password.
Discover the Hidden Dangers of Third-Party SaaS Apps
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
However, it is impossible to exploit this vulnerability when a Mac machine is turned on, and the screen is protected with a password.
Ergin publicly contacted Apple Support to ask about the issue he discovered. Apple is reportedly working on a fix.
"We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section."
Here's How to Temporarily Fix the macOS High Sierra Bug
Fortunately, the developer suggested a temporary fix for this issue which is as easy as its exploit.
To fix the vulnerability, you need to enable the root user with a password. Heres how to do that:
- Open System Preferences and Select Users & Groups
- Click on the lock icon and Enter your administrator name and password there
- Click on "Login Options" and select "Join" at the bottom of the screen
- Select "Open Directory Utility"
- Click on the lock icon to make changes and type your username and password there
- Click "Edit" at the top of the menu bar
- Select "Enable Root User" and set a password for the root user account
This password will prevent the account from being accessed with a blank password.
Just to be on the safer side, you can also disable Guest accounts on your Mac. for this, head on to System Preferences → Users & Groups, select Guest User after entering your admin password, and disable "Allow guests to log in to this computer."