Its pretty shocking actually
[doublepost=1511953431][/doublepost]
It took me two clicks for it to works as well.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
Its pretty shocking actually
[doublepost=1511953431][/doublepost]
It took me two clicks for it to works as well.
And that's one of the reasons why I always stay one OS behind all the time. Still on Sierra and will until next OS comes out.
Iv'e been using Macs for the past 30+ years. I suppose you could call me a 'Macoholic', an original 'Mac Fan Boy' (although not a boy anymore!!) There has been a few bumps along the way but I have generally supported their choice of direction including some of the more controversial decisions like 'removing the floppy drive in 1998'. Overall I think they had done a great job with software and hardware, leading the way and causing others for follow... Until now!! Apple have really dropped the ball. MacOS 10.13, iOS11 have been released far too early, they're simply not ready.
NOTE TO APPLE: Slow down, you don't have to release a new system every 12 months, release it when it's ready. You will get criticised for being slow, but that criticism will soon fade when you release something and "it just works". This is how it used to be back in the day when a Mac's simplicity and reliability made PC's look stupid.
NOTE TO APPLE: Slow down, you don't have to release a new system every 12 months, release it when it's ready. You will get criticised for being slow, but that criticism will soon fade when you release something and "it just works". This is how it used to be back in the day when a Mac's simplicity and reliability made PC's look stupid.
Smart idea. I'm too much of a sucker for the new features in every release. But after this maybe I might do the same thing.
[doublepost=1511954808][/doublepost]
They seem to be killing the golden goose in a rush to make more gold.
It took me two clicks to reproduce it, at first I tapped on the password area and left it blank, the second time I didn't click on the area and it worked.
I had the problem only on my new MBP since I installed it from scratch and didn't set the root password, on the old one I updated to high sierra but the root password was already set so I can't get access with a blank one.
You wonder how they didn't catch such a big security flaw, their QA is disappointing.
I had the problem only on my new MBP since I installed it from scratch and didn't set the root password, on the old one I updated to high sierra but the root password was already set so I can't get access with a blank one.
You wonder how they didn't catch such a big security flaw, their QA is disappointing.
The crazy thing is that even though the "root" user is not listed on the accounts settings, it now shows at the log in screen!!! This is nuts. How do I remove it!?
Actually, this should have been caught in a code review, which should definitely be done with every item that directly involves security (in fact, code reviews should be done on everything, but I doubt that Apple or anyone else really does that).
This isn't a testing or QA problem, it falls squarely on the shoulders of the coders and their management. Big fail on Apple's part. Maybe they should be spending more time on engineering and coding rather than worrying about reaching their one millionth patent.
Why is is this just on High Sierra? What was done you believe to create this issue?
This is one GIANT FUBAR by Apple. It should be a forced hotfix too, not a user choice.
Root was enabled by default? On mine (Sierra) it is not enabled although i enabled it, set a pw then disabled it just to be sure.
Pretty scary, but easily fixed. I wonder how many people have bothered to actually set their firmware password after reading this. And also consider how likely it is that your Mac will be broken into. I am not worried.
This will not work if the account falls under Parental Controls (while logged into that account). And I cannot get the login screen method to work - this means of "root" access doesn't seem to work on my MBP - maybe because one account is the admin, and one is the Parental Controls account. It has only worked for me if I am already logged into my (admin) account.
And while this is very bad for Apple...understand that computers (regardless of OS) aren't foolproof. But macOS is easily (still) the most secure OS out there. Right out of the box. So set your firmware password, backup your data, and rest easy. This is worse for Apple than it is for users of macOS.
The sky actually isn't falling, Chicken Little. Just set your firmware password.
This will not work if the account falls under Parental Controls (while logged into that account). And I cannot get the login screen method to work - this means of "root" access doesn't seem to work on my MBP - maybe because one account is the admin, and one is the Parental Controls account. It has only worked for me if I am already logged into my (admin) account.
And while this is very bad for Apple...understand that computers (regardless of OS) aren't foolproof. But macOS is easily (still) the most secure OS out there. Right out of the box. So set your firmware password, backup your data, and rest easy. This is worse for Apple than it is for users of macOS.
The sky actually isn't falling, Chicken Little. Just set your firmware password.
Are you for absolute real?
Wow...so much wrong with your post, its scary. And as for your last sentence - man....you are SO wrong it's unreal.
[doublepost=1511957514][/doublepost]
No, they didn't. They demonstrated a proof of concept that they can make a mask that eventually can fool Face ID but they have yet to prove it can work in real life. Ask yourself this; how many attempts did they take to perfect the mask? Also, remember that they at all times had the ability to reset the failed counter back to zero on the phone.
In real life they'd get at most just 5 chances to craft a mask and have it work. On the 6th attempt Face Id is disabled and no amount of re-crafting as mask will help - it's then the passcode or nothing.
[doublepost=1511957717][/doublepost]This is not just a problem via Users & Groups - if you can see the "Other" user on the Login Window screen then you can enable root that way. I clicked on this, signed-in with root and no password and it set-up root and l was in with full system admin rights. What a nightmare!!!
There appears to be a serious bug in macOS High Sierra that enables the root superuser on a Mac with a blank password and no security check.
The bug, discovered by developer Lemi Ergin, lets anyone log into an admin account using the username "root" with no password. This works when attempting to access an administrator's account on an unlocked Mac, and it also provides access at the login screen of a locked Mac.
To replicate, follow these steps from any kind of Mac account, admin or guest:
1. Open System Preferences
2. Choose Users & Groups
3. Click the lock to make changes
4. Type "root" in the username field
5. Move the mouse to the Password field and click there, but leave it blank
6. Click unlock, and it should allow you full access to add a new administrator account.
At the login screen, you can also use the root trick to gain access to a Mac after the feature has been enabled in System Preferences. At the login screen, click "Other," and then enter "root" again with no password.
This allows for admin-level access directly from the locked login screen, with the account able to see everything on the computer.
It appears that this bug is present in the current version of macOS High Sierra, 10.13.1, and the macOS 10.13.2 beta that is in testing at the moment. It's not clear how such a significant bug got past Apple, but it's likely this is something that the company will immediately address.
Until the issue is fixed, you can enable a root account with a password to prevent the bug from working. We have a full how to with a complete rundown on the steps available here.
Update: An Apple spokesperson told MacRumors that a fix is in the works:
Article Link: Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated]
Thanks, MacRumors. You've aided all those thieves who grabbed computers from stores as well as private citizens.
Not always true; there was a root escalation bug that could be exploited by a one-line shell script in Yosemite that was fixed in early El-Capitan betas.
[doublepost=1511958044][/doublepost]
Oh, please... This news is everywhere. And I mean EVERYWHERE! Try reading other sources other than MacRumors!
[doublepost=1511958149][/doublepost]
From everything I've read, here and on multiple other sites, there have been non reports anywhere of this affecting Sierra or below.
That's usually a good start for making the statement that "This only affects High Sierra"
This is really bad.. I tried to VPN into my mac pro server with root/blank and it worked! Major screw up, this is not just a problem with local access to a machine
FYI: I had root enabled on my machine but it still worked. I had to "Change Root Password" for it to "fix" the issue.
[doublepost=1511958250][/doublepost]
Wholly crap! Wow, I'm surprised with this major screw up and the lack of news/write-ups about it.
[doublepost=1511958250][/doublepost]
Wholly crap! Wow, I'm surprised with this major screw up and the lack of news/write-ups about it.
If accountability means anything then someone should be fired for such a stupid mistake.
While I still prefer Apple products and won't consider changing, I have less and less confidence in Apple's design, product management and performance. I have never had confidence in their customer service or willingness to stand behind their products.
While I still prefer Apple products and won't consider changing, I have less and less confidence in Apple's design, product management and performance. I have never had confidence in their customer service or willingness to stand behind their products.
Root hack works on my Mid 2017 21.5" i5 iMac but didn't work on my Late 2013 15" MacBook Pro Retina.
Apologies if this is in the thread but I tried searching and I could not find the answer. Bloomberg tech had a segment on this flaw but they did not fully explain one aspect. They said someone could access your Mac remotely if they were on the same network.
Does that mean on your wifi network or your shared ethernet if you have it shared to other devices but not open to the internet as a whole?