Serious macOS Bug Allows Anyone to Get Full Access to Your Mac

A serious vulnerability in macOS High Sierra as disclosed yesterday. It allows anyone with physical access to your Mac to log in as the “root” user, without entering a password. The root user is the super-user, the one that can do anything on your Mac. Root has more power than an administrator, and can view all the files of all users.

For some reason, macOS High Sierra seems to have a root account set up with an empty password; so you just log in with “root” as user name and leave the password field blank. You may need to try this several times, but lots of people have tested and shown that it works in most cases. The exception is if you have FileVault enabled, since that requires a different password to unlock a disk. However, if your disk is already unlocked, then the root vulnerability can be exploited. (Note that this doesn’t affect older versions of macOS.)

As Adam Engst wrote on TidBITS, “The reason this shouldn’t work is that the root user isn’t supposed to be enabled.” By default, this account is not set up; or shouldn’t be. Adam’s article explains how you can protect yourself from this vulnerability; you simply have to enable the root account and add a password.

This vulnerability only affects your Mac if someone has physical access, or if they can connect via Screen Sharing (which you would need to activating in the Sharing pane of System Preferences).

One note about the way this was disclosed. A developer shared this on Twitter, effectively making it a zero-day vulnerability which people need to defend. Instead of reporting it to Apple, he chose to go public, which, for this type of bug, is harmful. Since he is a developer, he could certainly have figured out how to report it responsibly (it’s not hard to find Apple’s Contact Apple About Security Issues page and the product-security@apple.com address. The developer might have been frustrated by Apple’s impractical bug reporter, but that’s no excuse. You simply don’t go public with vulnerabilities this serious.

8 thoughts on “Serious macOS Bug Allows Anyone to Get Full Access to Your Mac

  1. The problem is that Apple has a history of denying that problems exist. He did the right thing.

    Its danger is offset by the need to be at the computer.

      • I’m sure police departments are showing a sudden uptick in Mac thefts. Who knows what you’ll find if you search a randomly pilfered Macintosh?

        Besides, all Mac owners will immediately protect themselves by creating a root-user account with a strong password.

  2. A developer shared this on Twitter, effectively making it a zero-day vulnerability which people need to defend. Instead of reporting it to Apple, he chose to go public, which, for this type of bug, is harmful.

    I don’t think this is correct. According to John Gruber, the bug was reported to Apple by Lemi’s company on 23 Nov, five days before he tweeted it, with no response. So Apple had plenty of time to respond to what is a very serious bug.

    https://daringfireball.net/2017/11/high_sierra_root_login_two_weeks_ago

    • “Apple had plenty of time…” I admit that Apple’s bug reporter sucks, but if they are developers, they know how serious this is, and they would find – with a simple google search – how to report a security issue. Apparently they did not do this. Filing a radar – a bug in Apple’s system – is not the way to do this.

      And if they’re serious developers, they’d have contacted some security researchers, who could have filed an official CVE and perhaps been able to contact Apple (ie, not needing to use Google to find the email address for Apple security).

      I have worked around computer security (writing for a security company) for 20 years, and their behavior was simply wrong.

Leave a Comment