Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
Yeah, if you have 6 billion years to brute-force the password (or have the recovery key). You're aware that FileValut2 encrypts the drive, right? It's not just a password "for show," which is more or less all regular user account passwords are by comparison.
That’s a general pre-existing article on how to enable and disable root. Perhaps Apple could be clearer on what they say you should do right now by posting a new, specific article on the issue but, per the article you’re replying to: -
“Apple” said:
Nowhere are they saying, “but totally just disable root again and then panic”.
Edit: that sounded snarky, and wasn’t meant to be. No coffee yet, sorry. Agree that the advice should be clear and specific RE: the issue at hand.
The vulnerability is not apparent for me. But if I type in "root" then my usual admin password, I'm let in. So does that mean my admin account is a "root" account?
If I follow the Apple directions to "Enable or disable the root user" I only see the option to "Disable Root User". So my account runs under the "root" thing? If so, it's been like that since forever. Is that wrong? Dangerous? I'd appreciate some clarification.
If I follow the Apple directions to "Enable or disable the root user" I only see the option to "Disable Root User". So my account runs under the "root" thing? If so, it's been like that since forever. Is that wrong? Dangerous? I'd appreciate some clarification.
It means you, or someone, set the root password to be the same as your usual password at some point in the past. You’re fine, provided it’s a decent password.
Thanks. Can't remember ever doing anything special .. just chose a password when I installed the OS. But, yeah, good then.
Exactly. I was confused too by the apple link. Most apple owners doesn't have root access setup and/or doesn't even know what a root account is. My new 2017 iMac was setup by Apple without any root account active. It just mean that all macs around the world are affected and can be hacked by a botnet. Today November 29, Apple didn't release anything yet ? Surprising.
Or it could be that the moment this got released, users of 10.12 everywhere that knew about it tested it and found it was not affected...?
Let's be honest here - this thing has gone global - the fact that there's been something like a 99% success rate of exploiting 10.13 (I'm one of the very few who apparently have a secured High Sierra box even before this broke), and that we're at close to ZERO reports of 10.12 - yeah, pretty damning evidence that this doesn't effect 10.12...
I think it’s best for Apple to re-evaluate software development teams & find out who is the blame for this situation.
Coding is a very complex task, if you change every snippet code or adding new code that means you have to test 100 times to make sure there is no bugs or security loophole.
We pay for premium price for the hardware & software, it’s your responsibility to make sure there is no bug and no security loopholes, we all deserve to live without fear & trust Apple.
Coding is a very complex task, if you change every snippet code or adding new code that means you have to test 100 times to make sure there is no bugs or security loophole.
We pay for premium price for the hardware & software, it’s your responsibility to make sure there is no bug and no security loopholes, we all deserve to live without fear & trust Apple.
I was able to access root using the "other" login screen. Don't know when the "other" option appeared since I didn't modify anything in users/groups (?)
I read the bit just under the headline in the bordered box that said:
"You should disable the root user after completing your task."
I think that is where the confusion comes in, in that article anyway.
I don't have my Mac with me to test, but your post makes me wonder about something. What if by putting in your regular password to trigger this bug, that's the password that gets set with the admin account? So it's not so much about specifically using a blank password, rather it's all about the attempted login.
Steps to test:
- Disable 'root' to re-enable the vulnerability.
- Attempt to log on as root using a random password.
- Does it work the same as when a blank password is used in the attempt?
Yea I'm sure Timmy agrees hence releasing half-baked products for consumers to beta-test.
Other appeared, and you were able to log in as root, because you had enabled it using the bug at hand.
I don't believe that is correct - if the Mac is configured such that somebody can type in a user account at the login screen rather than just clicking on a list of existing users, the exploit can be activated. (Of course, this isn't the default configuration...)
That’s not correct. The root account is activated only by accessing something requiring elevated privileges in the GUI and using root as the user in the prompt. After that, yes, you can log in as root but you would have had to have access to an existing account in the GUI.
So it looks like no one investigated the bug fully. If the root user is disabled, *any* password, including none, will work after a few tries. The root account will then be enabled and the password will be set to whatever password you were using, including nothing.
*sigh*
The user still has to confirm the install. No one forces them to do anything.
Don't be a victim unless you're really a victim
Too much Kush in the QA dept............guess we know what Apple was thinking when they named it "high" Sierra!
Worked for me -- after a few tries. Looks like a backdoor to me. Maybe put in by some Russian or Chinese Apple employee.
- Disable 'root' to re-enable the vulnerability.
Did that.
- Attempt to log on as root using a random password.
Tried, couldn't log in.
-- Does it work the same as when a blank password is used in the attempt?
Couldn't log in with blank password either. Tried many times - so why doesn't the vulnerability happen for me?
Also, now can't log in as "root" with my usual password (which I guess is to be expected since the change).
Should I re-enable the root thingy?