Turkish developer Lemi Orhan Ergin has found a colossal security hole in the latest shipping version of MacOS, High Sierra 10.13.
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
The bug allows anyone to gain admin rights to the computer, letting them login as “root” without needing to enter a password.
That sounds bad
Yes. This is pretty bad of Apple, the company which previously brought us a security hole that displayed users’ actual passwords rather than a password hint.
D’oh! Apple seems to be making a habit of this… how could this security hole be exploited?
Simple. Imagine you leave you nip away for lunch at work, and leave your computer unattended on your desk. Your arch-business rival wanders over to your desk, boots up your iMac or Macbook, logs in as root, and installs some malware to spy on you.
Once someone has root on your Mac, they have God-like powers over the entire system.
Nasty. So this is a problem with the login screen at bootup?
Nope, it looks like it’s more than that. For instance, anytime the operating system asks you to enter an admin password (for instance, when changing your System Preferences) you could trick the computer into logging you in as “root”, no password required.
But an attacker needs to have physical access to a Mac computer in order to exploit this flaw?
Not so fast. For instance, security researcher Patrick Wardle reports that in some cases it is possible to exploit the flaw remotely.
If certain sharing services enabled on target – this attack appears to work 💯 remote 🙈💀☠️ (the login attempt enables/creates the root account with blank pw) Oh Apple 🍎😷🤒🤕 pic.twitter.com/lbhzWZLk4v
— Patrick Wardle (@patrickwardle) November 28, 2017
In other words, an attacker could use this technique to gain control over your Mac via VNC/Apple Remote Desktop.
You can tell just how serious this is by the sheer number of emojis Patrick included in his tweet.
This is so dumb
The over-use of emojis? Oh, you mean the security hole.
Yes, it is.
That’s why you should change your root password so it’s no longer the (blank) default.
Obviously if you take the route (geddit?) of changing your root password, make sure that it’s a strong, unique password that is hard to crack.
Apple is reportedly working on a fix. I would imagine they will be pushing it out as a high priority. Make sure to update your Macs and MacBooks at your earliest opportunity after it is released.
For more discussion on this topic, be sure to listen to this episode of the Smashing Security podcast:
Smashing Security #054: 'A great big fat macOS bug'
Listen on Apple Podcasts | Google Podcasts | Pocket Casts | Spotify | Other... | RSS
Update: Apple has now pushed out a security update for macOS High Sierra users that fixes the issue.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
4 comments on “Huge MacOS bug lets anyone login as root without a password: what you need to know”
And it’s only being worked on as a high priority because it was leaked to the press. Other privately disclosed flaws frequently take months.
‘Responsible disclosure’ (a.k.a. private disclosure) would’ve seen Apple take considerably longer.
This latest embarrassing debacle will hopefully provide the kick up the backside for better quality control. With responsible disclosure it’d have been hushed up, fixed in a couple of months and not made worldwide press. The public humiliation of yet another serious vulnerability will get the attention of their executives.
Kudos to the security researcher.
Here you are people, it was publicly disclosed on November 13 (TWO WEEKS AGO) but Apple did nothing.
Just waiting for that glorious day when we hear Apple is no more.
Yeah I said it.
I think that Apple should re-instate the dedicated MAC OS team rather than the currrent set-up that is treating the MAC as a sideline to the god of iphone.