Huge MacOS bug lets anyone login as root without a password: what you need to know

What’s happened?

Turkish developer Lemi Orhan Ergin has found a colossal security hole in the latest shipping version of MacOS, High Sierra 10.13.

Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?

— Lemi Orhan Ergin (@lemiorhan) November 28, 2017

Sign up to our free newsletter.
Security news, advice, and tips.

The bug allows anyone to gain admin rights to the computer, letting them login as “root” without needing to enter a password.

That sounds bad

Yes. This is pretty bad of Apple, the company which previously brought us a security hole that displayed users’ actual passwords rather than a password hint.

D’oh! Apple seems to be making a habit of this… how could this security hole be exploited?

Simple. Imagine you leave you nip away for lunch at work, and leave your computer unattended on your desk. Your arch-business rival wanders over to your desk, boots up your iMac or Macbook, logs in as root, and installs some malware to spy on you.

Once someone has root on your Mac, they have God-like powers over the entire system.

Nasty. So this is a problem with the login screen at bootup?

Nope, it looks like it’s more than that. For instance, anytime the operating system asks you to enter an admin password (for instance, when changing your System Preferences) you could trick the computer into logging you in as “root”, no password required.

But an attacker needs to have physical access to a Mac computer in order to exploit this flaw?

Not so fast. For instance, security researcher Patrick Wardle reports that in some cases it is possible to exploit the flaw remotely.

If certain sharing services enabled on target – this attack appears to work ???? remote ????????☠️ (the login attempt enables/creates the root account with blank pw) Oh Apple ???????????????? pic.twitter.com/lbhzWZLk4v

— Patrick Wardle (@patrickwardle) November 28, 2017

In other words, an attacker could use this technique to gain control over your Mac via VNC/Apple Remote Desktop.

You can tell just how serious this is by the sheer number of emojis Patrick included in his tweet.

This is so dumb

The over-use of emojis? Oh, you mean the security hole.

Yes, it is.

That’s why you should change your root password so it’s no longer the (blank) default.

Obviously if you take the route (geddit?) of changing your root password, make sure that it’s a strong, unique password that is hard to crack.

Apple is reportedly working on a fix. I would imagine they will be pushing it out as a high priority. Make sure to update your Macs and MacBooks at your earliest opportunity after it is released.

For more discussion on this topic, be sure to listen to this episode of the Smashing Security podcast:

Smashing Security #054

054: A great big fat macOS bug

↺ 15 ↻ 30 0:00

0:00 0:00

0:00 1×

Show full transcript ▼

This transcript was generated automatically, probably contains mistakes, and has not been manually verified.

Unknown

Smashing Security, Episode 54: A Great Big Fat macOS Bug with Carole Theriault and Graham Cluley.

Hello, hello, and welcome to Episode 54, a special bonus podlet of Smashing Security. And I am joined by Carole Theriault. Hello, Carole. Why are we chatting today?

Why are we releasing a podcast on a Wednesday, for goodness sake?

CAROLE THERIAULT

Well, there was quite a big Mac snafu that just happened. And we thought we would give some people some advice and some reassurance at this stage.

GRAHAM CLULEY

It's pretty bad.

I think this is of interest if you're an Apple user, obviously, because of the security vulnerability, but it's also of interest, I think, if you're a Windows user, because this is a great excuse to feel really, really smug about running Windows rather than Apple Macs.

CAROLE THERIAULT

I'm not sure I'd agree with that. Yeah, it's still a big deal though.

GRAHAM CLULEY

Sometimes Windows users, they need an excuse to feel smug compared to those Apple-using polo-neck-wearing.

CAROLE THERIAULT

Hey, I'm glad they exist. They keep the whole market a bit more heterogeneous.

GRAHAM CLULEY

Yeah, well, long word, Carole, for a Wednesday morning.

CAROLE THERIAULT

Well, glad I impressed.

GRAHAM CLULEY

Let's describe exactly what has happened. A Turkish developer, his name is Lemi, or can't be Lemi from Motörhead, surely.

Lemi or Liman Ergin, he found a colossal security hole in the latest shipping version of macOS, also known as High Sierra 10.13.

What it means is that anyone can log in to a Mac computer and have access to admin rights.

So they're logging in with basically godlike admin rights to the computer without a password. You can just type in your username as root, hit enter a few times, and you get in.

CAROLE THERIAULT

Whoa, whoa, whoa though, Graham. I'm under the impression that the root account is actually disabled by default on a Mac.

So surely this is only going to impact those that have enabled their root account.

GRAHAM CLULEY

Ah, well, yes, you're right.

The root account is disabled, but it appears that this vulnerability means that if you type in your username as root, it kind of re-enables the root account, which by default has no password.

And so you get in. It's absolutely—

CAROLE THERIAULT

Whoa! Yeah. This is much bigger than I thought.

GRAHAM CLULEY

Right. So, I mean, it's extraordinary. And this isn't the first kind of snafu which Apple has had regarding logging in and passwords, etc.

Just a couple of months ago, there was a security hole which would display users' actual passwords if you clicked on the "Give me the password hint" button.

CAROLE THERIAULT

Yeah.

GRAHAM CLULEY

So rather than the hint, it would display the actual password.

CAROLE THERIAULT

Yeah.

GRAHAM CLULEY

So Apple keep on goofing up. So how could this be exploited? Well, imagine this.

Imagine you're working in an office, you're lucky enough to have Apple Macs, and you go away for lunch for your lovely tuna sandwich and someone comes by your desk, maybe your arch rival in the office.

Everyone has an arch rival, don't they? A nemesis.

CAROLE THERIAULT

I get on with everybody.

GRAHAM CLULEY

Okay. Lucky you. Anyway, so someone comes along and thinks, oh, I'll just log into Graham's computer.

And even if I've locked the computer, they can say, actually, I want to log in as root. Dink, dink, dink, dink, dink. And in they go.

And they've got the rights to do whatever they like. They can change passwords. They can install malware to spy upon you. Any kind of mischief.

CAROLE THERIAULT

Yeah. They become a god of your computer effectively, if they can get into the root.

GRAHAM CLULEY

Right. Now, at first, when I heard about this, I thought, well, at least you have to have physical access to the computer, but it turns out that that isn't the case.

Some researchers have already discovered that it is possible. There are scenarios where it is possible to exploit this flaw remotely.

So if, for instance, you've set up your Apple Mac to allow access via VNC or Apple Remote Desktop, people can do this as well.

Furthermore, if you've ever been irritated, you know, when you go into System Preferences and you change some settings on your Mac and it says, oh, you're gonna have to enter an admin username and password and you're like, oh, what's the admin username and password?

Well, worry no longer because all you have to do is type in root as your username and click OK and off you go.

So people are able to basically elevate their permissions on the computer and cause all kinds of mayhem.

CAROLE THERIAULT

So the advice here is not for people to disable their root, but it's to add a password to their existing, maybe never used root account so that if someone tries to infiltrate their computer, they will need to know the password to get in via that account, that root account.

GRAHAM CLULEY

Most Mac users will never ever have any reason to use the root account, okay? They've set up their own admin accounts, or maybe their IT team are using admin accounts instead.

So what you should do is you should change your root password, and you could make it completely and utterly random.

CAROLE THERIAULT

Well, add and create one because most people will not have a password there.

GRAHAM CLULEY

So change it from the default, which is how it ships, and that way people won't be able to gain access to your Mac.

And we will put in a link in the show notes where you can go to the Apple support knowledge base article where they tell you how to change the root password.

And the other thing is, of course, Apple is working on a fix. I would imagine that they're going to push it out quite quickly.

And when you see that popping up on your screen, update your Macs because this obviously isn't good enough.

CAROLE THERIAULT

Everybody with a Mac should do this. And there's some really good instructions that we'll give you. So it's really step-by-step. I've done them and, you know, it took me 30 seconds.

GRAHAM CLULEY

Cool. But the bigger story here, though, maybe is, I mean, this is very embarrassing, but what does this say about Apple's quality control?

CAROLE THERIAULT

Oh, stop it. Apple, I think Apple's quality control is pretty darn high. And I don't know, maybe I've been drinking the Kool-Aid too long.

But at the moment, I'm feeling assured that this has not yet been exploited in the wild.

And I'm hoping Apple are going to fix this at double quick time and that everything is going to go back to normal.

GRAHAM CLULEY

Well, you say that, Carole, but fascinatingly, if you go to the Apple Developer Forums, there were people who were asking questions a couple of weeks ago saying, "Oh, I'm having a problem doing this on my Mac." And there were people saying, "Oh, there's a way of getting around that.

All you have to do is type in a username of root and not enter any passwords." So this has been knowledge to some people for a few weeks and they have been using it maybe for good.

Who knows if it's been done for bad as well? Hard to say.

But I do wonder whether if control freak Steve Jobs was still in charge, whether, you know, he would be ripping people to shreds about a bug like this. Yes, wouldn't he?

I doubt he'd be terribly calm and pouring people a nice cup of tea and say, "Oh, these sort of things happen to anybody." Yeah, well, you know, RIP. Well, obviously.

Although I said at the beginning, you know, Windows users can feel smug, I think every company needs to be a little bit careful about bugs like this.

They can creep in all too easily if you're not doing thorough enough quality control, then bugs can appear in your software just like they have in macOS.

So our advice, change your root password, and when Apple push out a patch, apply that patch as soon as you can.

CAROLE THERIAULT

Yes. And Apple, get it out double quick time. This is a biggie.

GRAHAM CLULEY

And we'll be back sooner than you can imagine with a regular episode with all of the goodies, including— we've got no pick of the weeks this week, have we?

Was that a cat meowing in your background?

CAROLE THERIAULT

Yes, it's breakfast time.

GRAHAM CLULEY

See ya.

CAROLE THERIAULT

So I better go. Bye.

GRAHAM CLULEY

Bye.

Update: Apple has now pushed out a security update for macOS High Sierra users that fixes the issue.

Found this article interesting? Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive content we post.

Graham Cluley

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and hosts the popular "Smashing Security" podcast. Follow him on TikTok, LinkedIn, Bluesky and Mastodon, or drop him an email.