Not for me. I can't access root without a password, only with the password I supplied.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
Not for me. I can't access root without a password, only with the password I supplied.
did you try multiple times? Change to root user, typing a password, remove it with backspace?
I can still access using root even if I changed the root password and disabled the root user then rebooted (https://support.apple.com/en-us/HT204012)
I can still access using root even if I changed the root password and disabled the root user then rebooted (https://support.apple.com/en-us/HT204012)
If you changed the root user password using the apple HT204012 then disabled the root user account you can still access the root user (with no password) by trying 2 times.
The most important thing it to type something in the password window then remove it.
User name: root
Password: type something then remove it with backspace
Click Unlock
x 2
The most important thing it to type something in the password window then remove it.
User name: root
Password: type something then remove it with backspace
Click Unlock
x 2
I think you are misunderstanding. What you want to do is enable the root user with a password and leave it enabled. That way, leaving the password blank doesn't work
I love how everyone is freaking out. If this was such an "obvious bug" like you all think it is why is it just getting discovered now?
This kind of thing happens in software development, this is why companies (Apple included) pay bounties for hackers to find bugs like this that would be very hard to catch otherwise.
Yes, it needs fixed, but people are acting like the world is ending. You can't even do it from the login screen (if you can I haven't figured out how since your username is already up there, there is no spot for you to enter root.)
This kind of thing happens in software development, this is why companies (Apple included) pay bounties for hackers to find bugs like this that would be very hard to catch otherwise.
Yes, it needs fixed, but people are acting like the world is ending. You can't even do it from the login screen (if you can I haven't figured out how since your username is already up there, there is no spot for you to enter root.)
no. I'm using another admin account, then I click on the LOCK icon and enter root instead of my admin account, enter a a password (a space for example) then remove it then click unlock. And it works very well. I shouldn't be able to remove the lock by entering root and no password in the window. Note that if you don't type something in the password field it doesn't work. The trick is to enter something, not validating it, remove it with backspace then click unlock.
This.
MR, At least give credit to the true finder of the exploit, not the careless hack who posted it for the world to see.
All this means eventually is that Apple will increase the amount of times you have to enter a password instead of overhauling macOS to support something sane like a one time log in and proper admin user access. I get so tired of having to enter my password dozens of times while using macOS for simple stupid everyday things just because Apple is trying to lock down this aging OS in the most cheap and quickest way possible. I mean if you have to enter credentials multiple times doing one workflow task, this is an epic failure in UX, period.
I guess this is why they are rushing to add Face ID to an upcoming Macs because of a nearly continuous need to authorize access to simply use macOS these days because Apple is too busy squirreling away iPhone profits in overseas accounts to bother to bring any real innovation or security back to their OLD desktop software products.
I guess this is why they are rushing to add Face ID to an upcoming Macs because of a nearly continuous need to authorize access to simply use macOS these days because Apple is too busy squirreling away iPhone profits in overseas accounts to bother to bring any real innovation or security back to their OLD desktop software products.
It's made it into mainstream media news reports. Just in time for Christmas. Not good news in the run up to Christmas shopping. Someone's dangly bits will be being squeezed in a vice about now ( or should be).
But did you leave the root user account enabled? If so, doing what you describe won't unlock it.
Just set an admin password like the guide tells you to, and you'll be safe.
Also, as someone else pointed out, remote desktop is not enabled by default, so if you haven't enabled that AND the Mac is only ever inside your home, you're safe. If any of those conditions are not met, fix it with the trick the OP and, of course, always keep your Mac updated.
Make sure that remote login is not enabled in "Sharing" on your High Sierra systems until an official patch is released.
By doing that you re-enabled the vulnerability. The account can now once again be enabled with a blank password.
Disabling root is what will allow the blank password to work. You need to enable root, with a password and leave it enabled. When you do, the blank password doesn't work
Yes I believe it is correct but you can bypass it locally as I said (by playing with the password window). Not sure it works remotely. Maybe a bug in the bug.
no I followed the apple instructions, disabled root (I can see enable root in the directory window so root is not active) then closed all locks BUT I can still enter again by typing root, space then backspace then unlock.
I couldn't reproduce it on my rMBP with the latest beta, but when I tried a real password (one I might have set) it allowed me in. Sometime ago I was trying to run something from the terminal as a superuser but couldn't due to lack of password, I suspect the password was set at that point.
My macMini running 10.3.1 did show the bug and allowed me in with a blank password.
My macMini running 10.3.1 did show the bug and allowed me in with a blank password.
Same on this end... I have too many Macs to fiddle with disabling.. created a passcode on all of them.. Disabling only works for one or two tries and then its wide open again... disabling does not work. None of my Macs have remote sharing or sharing of any type enabled (Find it useless for what I use my machines for)and it will still allow you to enter without a hitch...