Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Here's How to Temporarily Fix the macOS High Sierra Bug That Gives Full Admin Access to Your Mac Sans Password [Updated]

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
68,645
39,519



A newly discovered bug in macOS High Sierra enables the root superuser on a Mac with a blank password and no security check, essentially giving anyone full access to your Mac.

Apple is likely already working on a fix, but in the meantime, there's a temporary workaround -- enabling the root user with a password. Here's how:
  1. Open Spotlight and search for Directory Utility.
    directory_utility_spotlight-800x506.jpg
  2. Double click on the app result to open.
  3. Click on the lock at the bottom of the window to make changes and enter your username and password for an administrator account on your computer.
    directory_utility.jpg
  4. In the menu bar at the top of the screen, choose "Edit."
    macoshighsierrarootbugeditmenu.jpg
  5. Select "Enable Root User."
From there, you can enter a password for the root user account, which prevents it from being accessed with a blank password, which is what the current bug allows to happen.

macoshighsierrarootbugpassword-800x601.jpg

Disabling the root user account again follows the same steps, but at the "Edit" portion of the process, you'll select "Disable Root User" to remove the option. Until the bug is fixed, though, you'll want to leave the root user account intact to prevent it from being accessed without a password.

To further protect your Mac, you can also disable guest accounts, though this is not a necessary step with a root password enabled. Guest accounts can be disabled by going to System Preferences > Users & Groups and choosing "Guest User" after entering your admin password. Disable "Allow guests to log in to this computer."

Update: Apple has released a security update to fix this issue, and all macOS High Sierra users should apply the update as soon as possible to ensure they are protected.

Article Link: Here's How to Temporarily Fix the macOS High Sierra Bug That Gives Full Admin Access to Your Mac Sans Password [Updated]
 
Article Link
https://www.macrumors.com/how-to/temporarily-fix-macos-high-sierra-root-bug/
This is such a fundamental and major security flaw, it's mind-blowing how it managed to get through Apple's QA

A critical vulnerability that allows root access to all macs with a single click. We'd be laughing at Microsoft if this had occurred with Windows
 
  • Like
Reactions: Cameroncafe10a, T909, mistasopz and 24 others
A faster way to launch Directory Utility is to type "directory utility" in Spotlight, then press return. (This assumes that you have "Applications" enabled in Spotlight's preferences.)

Make sure you choose a secure root password. Leaving root enabled with an easily guessed password defeats the purpose.
 
Last edited:
  • Like
Reactions: ShinyDren, Sasparilla, jimthing and 2 others
MacRumors said:



A newly discovered bug in macOS High Sierra enables the root superuser on a Mac with a blank password and no security check, essentially giving anyone full access to your Mac.

Apple is likely already working on a fix, but in the meantime, there's a temporary workaround -- enabling the root user with a password. Here's how:
  1. Open System Preferences.
  2. Choose Users & Groups.
  3. Click on the lock to make changes.
    macoshighsierrarootbugclicklock-800x583.jpg

  4. Enter your administrator name and password.
  5. Click on "Login Options."
    macoshighsierrarootbugloginoptions-800x583.jpg

  6. Choose "Join" at the bottom of the window.
    macoshighsierrarootbugjoinnetwork-800x583.jpg

  7. Select "Open Directory Utility."
    macoshighsierrarootbugopendirectory-800x583.jpg

  8. Click on the lock to make changes and enter your username and password.
  9. At the top of the menu bar, choose "Edit."
    macoshighsierrarootbugeditmenu.jpg

  10. Select "Enable Root User."
From there, you can enter a password for the root user account, which prevents it from being accessed with a blank password, which is what the current bug allows to happen.

macoshighsierrarootbugpassword-800x601.jpg

Disabling the root user account again follows the same steps, but at the "Edit" portion of the process, you'll select "Disable Root User" to remove the option. Until the bug is fixed, though, you'll want to leave the root user account intact to prevent it from being accessed without a password.

To further protect your Mac, you can also disable guest accounts, though this is not a necessary step with a root password enabled. Guest accounts can be disabled by going to System Preferences > Users & Groups and choosing "Guest User" after entering your admin password. Disable "Allow guests to log in to this computer."

Article Link: Here's How to Temporarily Fix the macOS High Sierra Bug That Gives Full Admin Access to Your Mac Sans Password
Click to expand...


Except it doesn't work correctly. You can set a password on the root account, and that part works. The part that doesn't work is disabling the account. It will SAY that it's disabled in the menu, but if you just try using it again (with your new password) it will still work, and when you go to look at the Directory Utility's menu setting, it will show the root user is enabled once again. The only thing you can do is put a password on the account and call it a day, until Apple fixes the bug(s).
 
  • Like
Reactions: gertruded and findjohnny
Or, you know, don't leave your laptop sitting around unlocked. As more or less 100% of your critical info is under your user account anyway, probably even in the easy to find Documents folder, it's almost useless to spend time (as a theif) monkeying with root accounts. Just yoink what you need directly. Creating a root password (as a theif) presumes future access to the Mac, in which case it's been lifted already, and there are ways to get at your info, anyway, if it's unencrypted, as most Macs are.

Pretty dumb flaw, yes, but you deserve what you get if you leave your unattended, unlocked laptop lying around where people can physically get at it in the first place.
 
  • Like
Reactions: artfossil and Madhatter243x
mattyj2001 said:
Or, you know, don't leave your laptop sitting around unlocked. As more or less 100% of your critical info is under your user account anyway, probably even in the easy to find Documents folder, it's almost useless to spend time (as a theif) monkeying with root accounts. Just yoink what you need directly. Creating a root password (as a theif) presumes future access to the Mac, in which case it's been lifted already, and there are ways to get at your info, anyway, if it's unencrypted, as most Macs are.

Pretty dumb flaw, yes, but you deserve what you get if you leave your unattended, unlocked laptop lying around where people can physically get at it in the first place.
Click to expand...

I thought this exploit worked on locked systems too though so...
 
  • Like
Reactions: CarpalMac and Ener Ji
poppy10 said:
This is such a fundamental and major security flaw, it's mind-blowing how it managed to get through Apple's QA

A critical vulnerability that allows root access to all macs with a single click. We'd be laughing at Microsoft if this had occurred with Windows
Click to expand...

On Windows XP, the default Administrator password was blank.
 
  • Like
Reactions: bernuli
xSyKoTiKx said:
Except it doesn't work correctly. You can set a password on the root account, and that part works. The part that doesn't work is disabling the account.
Click to expand...
Note that these instructions don't tell you to disable the root account. They mention HOW to disable it, if and when you want to, but advise you not to until the bug is fixed.

If there's a flaw in the procedure to disable the root user, then let's hope Apple fixes that too.
 
  • Like
Reactions: dubAdub and bwintx
This "fix" is not working on my system running High Sierra Version 10.132 Beta (17C83a) - funny thing is after using "root" to login I've noticed that root user is enabled when checking in the Directory Util after - if I disable - try the root bug again - go back in the Directory Util it's enabled again .. ?
 
mattyj2001 said:
Or, you know, don't leave your laptop sitting around unlocked. As more or less 100% of your critical info is under your user account anyway, probably even in the easy to find Documents folder, it's almost useless to spend time (as a theif) monkeying with root accounts. Just yoink what you need directly. Creating a root password (as a theif) presumes future access to the Mac, in which case it's been lifted already, and there are ways to get at your info, anyway, if it's unencrypted, as most Macs are.

Pretty dumb flaw, yes, but you deserve what you get if you leave your unattended, unlocked laptop lying around where people can physically get at it in the first place.
Click to expand...
Laptop? How about all the schools and Universities that use iMacs with admin accounts? This is a HUGE flaw and shouldn’t be downplayed.
 
  • Like
Reactions: T909, arkitect, zilba25 and 6 others
plun9 said:
On Windows XP, the default Administrator password was blank.
Click to expand...
So the lesson should have been learned long ago. XP was a total security mess until about SP2. Before XP, always on broadband wasn’t yet commonplace, so flawed software was less exposed. Today, seemingly everyone is looking for the holes.
 
mattyj2001 said:
Or, you know, don't leave your laptop sitting around unlocked. As more or less 100% of your critical info is under your user account anyway, probably even in the easy to find Documents folder, it's almost useless to spend time (as a theif) monkeying with root accounts. Just yoink what you need directly. Creating a root password (as a theif) presumes future access to the Mac, in which case it's been lifted already, and there are ways to get at your info, anyway, if it's unencrypted, as most Macs are.

Pretty dumb flaw, yes, but you deserve what you get if you leave your unattended, unlocked laptop lying around where people can physically get at it in the first place.
Click to expand...

Yes, it is always the users’ fault.

I’m pretty sure software/hardware companies only need to test their products the correct way they are supposed to be used.
 
  • Like
Reactions: arkitect, iSilas and CarpalMac
MacRumors said:



A newly discovered bug in macOS High Sierra enables the root superuser on a Mac with a blank password and no security check, essentially giving anyone full access to your Mac.

Apple is likely already working on a fix, but in the meantime, there's a temporary workaround -- enabling the root user with a password. Here's how:
  1. Open System Preferences.
  2. Choose Users & Groups.
  3. Click on the lock to make changes.
    macoshighsierrarootbugclicklock-800x583.jpg

  4. Enter your administrator name and password.
  5. Click on "Login Options."
    macoshighsierrarootbugloginoptions-800x583.jpg

  6. Choose "Join" at the bottom of the window.
    macoshighsierrarootbugjoinnetwork-800x583.jpg

  7. Select "Open Directory Utility."
    macoshighsierrarootbugopendirectory-800x583.jpg

  8. Click on the lock to make changes and enter your username and password.
  9. At the top of the menu bar, choose "Edit."
    macoshighsierrarootbugeditmenu.jpg

  10. Select "Enable Root User."
From there, you can enter a password for the root user account, which prevents it from being accessed with a blank password, which is what the current bug allows to happen.

macoshighsierrarootbugpassword-800x601.jpg

Disabling the root user account again follows the same steps, but at the "Edit" portion of the process, you'll select "Disable Root User" to remove the option. Until the bug is fixed, though, you'll want to leave the root user account intact to prevent it from being accessed without a password.

To further protect your Mac, you can also disable guest accounts, though this is not a necessary step with a root password enabled. Guest accounts can be disabled by going to System Preferences > Users & Groups and choosing "Guest User" after entering your admin password. Disable "Allow guests to log in to this computer."

Article Link: Here's How to Temporarily Fix the macOS High Sierra Bug That Gives Full Admin Access to Your Mac Sans Password
Click to expand...

You can open Directory Utility from Spotlight, saves a few steps.
 
  • Like
Reactions: dotnet and bwintx
This is an extraordinary level of incompetence. Normally I’d say security bypasses like this are by design but this is such an easy and obvious bypass that it was bound to be discovered fairly quickly.

What does this say about the state of software development at Apple? I get that mistakes and bugs happen but something this severe and easy to replicate can’t have occurred without multiple people not doing their jobs properly.

Does Apple have QA anymore?
 
Last edited:
  • Like
Reactions: yoyo kayak, mikegem, kazmac and 2 others
Can someone confirm if this bug/exploit works on a Mac with touch bar/ Touch ID?
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back