Please revoke any permits on self-steering cars until these amateurist bumbo's have performed a necessary reorg
Last edited:
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
Not saying that, macOS is the best of the 3. I prefer iOS though.
Also to note: My Root login was enabled since the previous macOS and I knew the password... it was showing as "Enabled" and the menu showed "Change Password" and "Disable Root" - BUT this bug worked anyway! Im astounded and this sloppy miss by Apple. Im so glad I have held back my companies Macs and my clients macs from upgrade.
Working through "Change Password" - updated something and fixed the issue... I used the same PW as before.
Please Fix this on 10.13.2!
Working through "Change Password" - updated something and fixed the issue... I used the same PW as before.
Please Fix this on 10.13.2!
There appears to be a serious bug in macOS High Sierra that enables the root superuser on a Mac with a blank password and no security check.
The bug, discovered by developer Lemi Ergin, lets anyone log into an admin account using the username "root" with no password. This works when attempting to access an administrator's account on an unlocked Mac, and it also provides access at the login screen of a locked Mac.
To replicate, follow these steps from any kind of Mac account, admin or guest:
1. Open System Preferences
2. Choose Users & Groups
3. Click the lock to make changes
4. Type "root" in the username field
5. Move the mouse to the Password field and click there, but leave it blank
6. Click unlock, and it should allow you full access to add a new administrator account.
At the login screen, you can also use the root trick to gain access to a Mac after the feature has been enabled in System Preferences. At the login screen, click "Other," and then enter "root" again with no password.
This allows for admin-level access directly from the locked login screen, with the account able to see everything on the computer.
It appears that this bug is present in the current version of macOS High Sierra, 10.13.1, and the macOS 10.13.2 beta that is in testing at the moment. It's not clear how such a significant bug got past Apple, but it's likely this is something that the company will immediately address.
Until the issue is fixed, you can enable a root account with a password to prevent the bug from working. We have a full how to with a complete rundown on the steps available here.
Update: An Apple spokesperson told MacRumors that a fix is in the works:
Article Link: Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated]
Or maybe because it has just been discovered, there isn't any previous reports to verify it. The next time I get access to an older Mac, I'll give it a go and report back.
I don't understand why there was such attention paid to the talking poo animoji; Siri's been a talking piece of crap for years.
As others have already said, this is being reported on mainstream news outlets all over the world, it isn’t just macrumours reporting it.
Plus the guy who discovered it posted it to Apple using a twitter post, it’s pretty much everywhere
Yes because the people who create emojis are the same people in charge of MacOS security.
What's the likelihood of this being exploited? I am assuming if you use a mac on public wifi and someone on the same network knows how to access? Just curious as I have no idea when it comes to stuff like this.
Windows and Linux have no exploits? BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA.
Have you ever looked at WSUS or Linux update packages? (...still laughing...) You need to see the sheer number of security updates to appreciate how vulnerable Windows is. And don't get me started on Linux.
Do you know of an example where this macOS vulnerability was actually used? I am pretty sure you can't. How about how many times macOS was "hacked" via a similar vulnerability? And please don't start with the iCloud "hack" that so many celebrities were victim to. That was social engineering, which ANYONE can fall victim to. Security doesn't mean squat if you're talking about human error. And that is what is most likely at the "root" of this current vulnerability.
;-)
Last edited:
It is unlikely that it will be successfully exploited, Apple will most likely be patching it very soon. Or people can just set a firmware password and disable the vulnerability entirely right now. What is of real concern here is the fact that you can use this vulnerability to access macOS over a network connection, you don't have to physically be at your Mac.
And a lot of the vitriol comes from trolls and the media. The media isn't really doing anything wrong, though. They can't be blamed for reporting on this story, they are just doing their job. The trolls are different - these are mostly self-important shills with an axe to grind...and it isn't Apple necessarily that they would be venting on. Believe me, if this was still unreported, these same idiots will still be out there, looking for any opportunity to skewer the latest Hate of the Day.
The Apple fix disabling root user doesn't work. Even if you disable it you'll be able to relogging with root and no password (enter a password then remove it using backspace) and you'll see that everytime the root access is re-enabled automatically in the directory utility.
There's no fix.
There's no fix.
Yes there is. Set a password for the root user that's not blank.
https://support.apple.com/en-us/HT204012
no it doesn't work. logout then re-login. Enter root (and no password) and it works even if you changed the password previously.
Yes it does. I tried this, and after I set my firmware password. Setting your firmware password will fix this.
No. Heads have to roll on this, even if it’s whomever does the sign-offs on testing. Some people have to get fired here. This didn’t just happen. A root cause analysis will be conducted and somewhere the buck will stop. There are businesses that have Macs in-house - from start-ups to major F100 corporations, running across multiple industries. While Apple may be able to throw “advertising dollars” at this to the general public (some are already saying they don’t care), CIOs and tech leadership with Macs in-house, devs and tech industry people who really understand what this is will and should be calling for explanations. Beyond that, after the root cause analysis, the expectation is the assurance that the issue has been fixed, and what steps have been taken to make sure that something like this will never happen again.
I’m really interested in how this will go regardless.