There's A Massive Security Vulnerability In The New MacOS

In software, there are bugs, and there are dangerous bugs. It looks like macOS High Sierra has one of those dangerous bugs; one that could give someone full access to virtually any user account. And holy buckets, it is scary.

All images: Gizmodo

Turkish software developer Lemi Orhan Ergin pointed out an apparent macOS security vulnerability in a tweet this morning. Basically, if you open System Preferences and then navigate to Users and Groups, you can easily gain access to make changes to any account on that machine. Just click the lock, and when macOS prompts you for a password, replace the user name with "root", select the password field (but don't type in a password), and click Unlock. Just like that, the system will unlock. We were able to replicate the issue multiple times. (Seven attempts seems to be the sweet spot.)

It's important to highlight the fact that a hacker would probably need access to a logged in Mac in order to take advantage of this vulnerability. If there's a root user already enabled, the macOS login screen does not let you change the user name.

But Gizmodo reader wrote in with an even more terrifying possibility:

If you have Remote Management enabled in your Sharing preferences then someone with Apple Remote Desktop or can in fact log in remotely using this exploit. I've confirmed this behaviour personally with a friend at my co-working space, and it's been confirmed here as well.

If you've used the trick to unlock the Users and Groups already, you can use the same "root" trick to log back into the computer after you've logged out. Just select the Other as a user, type in "root", click the password field, and then hit return. This will set up a new user and let you use the machine as an admin. As Macrumors points out, you can prevent this by enabling a root user on your Mac.

We reached out to Apple to learn more about this bug, its scope, and how the company plans to address it, but had not heard back at time of writing.



    Uhhhh. You should be changing the root password anyway.

      How many average Mac users would even know what "root" is, let alone know how to change the root password?

        From what I'm reading, it requires the root account to be created at the local machine via physical access - if the user never deliberately does this, there's no root account to exploit. The proposed way of doing it as per the article is a way that an end user probably wouldn't do accidentally.

        Still a flaw, but it'd rely on either going to the physical device, or tricking the user into doing it.

          I’ve read otherwise, an apple spokesperson said the following

          “We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”

            From the support article about changing root password:
            The user account named ”root” is a superuser [...] The root user is disabled by default

            The exploit described above is forcing though enabling the root account by trying to use it in an elevated privileges prompt. Unless the user deliberately does that, or enables it by normal means (deliberately and knowingly - i.e. not normal user activity), it isn't enabled.

              I’ll have to test with one of the spare machines in the office, but I took it as apple recommending enabling root and changing the password to prevent the exploit.
              All my machines have a different root pw so I’m not worried.

              I've just checked this, if Root is not configured or has been disabled without changing the password, it will re-enable the Root login with the default password.

              The only fix at the moment is to set a new password for the Root user.

          You're mostly correct, except that the issue here is that root account is ENABLED by default with no password. I just tested on 2 machines (one HFS+, one APFS) with fresh install of macOS 10.13.1 and I can confirm both machine let me it with root user and no password.

    For everyone that doesn't know unix/linux.

    Easiest way to fix the problem.
    1. Open terminal window.
    2. Type "sudo passwd root"
    3. Type in your normal password
    4. Type in a password for your root account.
    5. retype password for your root account.
    6. Beer

Join the discussion!

Trending Stories Right Now