MacOS gives users full admin rights without password

Lena Tucker
November 29, 2017

"Apple could have avoided it originally by setting a random password to the root user", Serper added, "in a way that the password is randomly generated every time the operating system is installed".

macOS High Sierra includes the Apple File System to make using your Mac faster, Metal 2 with native VR support, updates to Siri including an all-new more human-like voice, autoplay blocking in Safari for ads, and support for external GPUs you may wanna hook up to your machine for heavy workloads or intense games. To exploit the vulnerability, someone with access to the computer can type "root" and no password in the Users & Groups section of System Preferences.

Once the phantom account is created, a user simply needs to enter "root" as a username and, without entering a password, hit enter to unlock. The good news is that it's simple to patch this hole right now, without waiting for a software update from Apple.

CNET independently confirmed this security flaw exists and reached out to Apple about the issue. If the lock is unlocked, the machine is affected by the security flaw. Quartz wasn't able to recreate the login bug, but was able to edit who has access to a computer in System Preferences on a Mac running macOS High Sierra 10.13.1.

Lemi Orhan Ergin on Twitter:
WARNING: Huge Bug Discovered macOS High Sierra, Lets Anyone Log In as Root Without Password

This is a developing story.

Currently, there is no official fix from Apple regarding the issue.

Disabling the root account in the open directory utility tool does not work, as the root account becomes re-enabled when entered into the user name field on login. Then select "Change Root Password..." and choose a strong password, something with many letters and characters that can't be guessed.

Once in the "Join" menu, click on "Open Directory Utility". Users can prevent an attacker from exploiting a bug by creating a "root" account themselves and giving it a custom password.

Other reports by AllAboutTopnews

Discuss This Article