Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated]

[Grimbol]

This does NOT work in 10.13.2 Beta 5.

It does for me, not on first try, but in the third one.

 

[JeffreyD]

It worked on the second try for me. I have all updates installed. Yow.

 

[Altis]

I tried again. Entered root as the username in the first dialog box, left password blank. Entered root again in the second prompt, left password blank. And it worked!!

So, did you put the cursor in the password field or just enter the user name 'root'?

Just trying to see if that's made a difference, not that it makes it any better, really.

 

[JosephAW]

Come on guys, this is called a "feature" for High Sierra. Tested with Sierra & El Captain and no access, whew.

 

[RoyCalderon]

This is totally unbelievable

 

[PBG4 Dude]

Worked on 10.13.2 latest beta released today. I went through the instructions to enable root user and give a password. Then I disabled root again. Once I had disabled root, the original issue came back again, so you want to keep root active with a password until this problem is fixed.

Ugh.

 

[OldSchoolMacGuy]

Not an issue if you don't go and enable a password-less root account on your system, but now a bunch of idiots are going to try this themselves and not bother to clean up the root account, leaving them open.

If you don't go and try this, there's isn't much risk. Unless you're someone who allows anyone to use their machine.

 

[Rogifan]

So they didn’t contact Apple directly before publishing this on social media? @AppleSupport is not responsible for software security.

 

[Westside guy]

So all this time, when they talked about macOS being "rootless" they actually meant "root password-less".

This is almost as bad as the original ssh 2.0 bug which let you connect using any two characters for an account's password.

 

[blackxacto]

So I did finally get this to work. Set a root password for now. I presume this will get fixed ASAP.

I thought the point is that no one needs a password for root on any machine running High Sierra, any machine, anywhere.

 

[redheeler]

Did you read the article? This works at the LOGIN screen as well. I have confirmed that I can log out of my own account and log in to the PC as the user ROOT with no password.

Please take off your Apple Apologist hat and accept this is a MAJOR security hole. Root access to ANY computer is potentially fatal to the computer.

Works at the login screen? Ok, someone really should be fired over this one.

 

[marioman38]

Didn't work when I tabbed and hit enter, but when i actually clicked the password field and left it blank it worked

 

[kingjames1970]

Yup, works second try. It's only a security risk now that everybody knows about it. Thanks MacRumours! I'm off to check my wife's email...

 

[RecentlyConverted]

As much as this pisses me off (WTF Apple?!?), I’m glad these security lapses are exposed so they can be patched and corrected.

I would imagine there will be an update for this by the end of the week at the latest.

Well let’s see. Clock starts now.

 

[AustinIllini]

That ain't pretty

 

[filipe.esposito]

Please stop Apple before it’s too late.

 

[ispcolohost]

Not an issue if you don't go and enable a password-less root account on your system, but now a bunch of idiots are going to try this themselves and not bother to clean up the root account, leaving them open.

If you don't go and try this, there's isn't much risk. Unless you're someone who allows anyone to use their machine.

Umm yeah actually if you'd read the article, it is an issue. If you have a High Sierra computer that someone can walk up to, or steal if it's portable, then all they need is the login screen to come up after powering on and in they go as root with no password. This isn't an issue of intentionally enabling a passwordless root account, Apple has done that for us.

 

[theheadguy]

So it requires physical access to a Mac that's not just "unlocked" but that has the Users dialogue open with the padlock showing that the pane is unlocked as well. So, no risk if no one else has physical access to the machine or those that do don't know the password. Not exactly like anyone can log in with root, requiring no unlocking at all. So, a bug? Yes. A catastrophic and highly embarrassing failure? Not really.

It says it also provides access at the login screen. Is that incorrect? I’m not sure you actually read the post...

 

[Feenician]

Absolutely incredible. This doesn't just work on the Users section either, I just used it to access the Security and Privacy section too.

 

[RecentlyConverted]

Can just see Craig at the next keynote. “We have made it super easy to allow guests to use your Mac, now you don’t need to even setup a guest account and the user has full access”.

Shame, Craig comes across as a great guy, but he is the face of the firmware and the buck stops with him.

 

[theheadguy]

Umm yeah actually if you'd read the article, it is an issue. If you have a High Sierra computer that someone can walk up to, or steal if it's portable, then all they need is the login screen to come up after powering on and in they go as root with no password. This isn't an issue of intentionally enabling a passwordless root account, Apple has done that for us.

He didn’t even read it. There are plenty of people opining on the matter who didn’t actually read the post. Smh.

 

[JosephAW]

Booted to my clean install from app store 13.1.05 version and after second wiggle with root it unlocked. Doesn't work with default admin user.
Created a Admin and Standard user in login user admin and can't use them, then using root unlock trick, created two users, still no access but they don't show up in the user list, so someone could create hidden users!
Owch, at login screen was able to log in as root without password. Yipes!

 

[rctlr]

Yep. Switched User to root. No password.

 

[TriBruin]

It says it also provides access at the login screen. Is that incorrect?

No, this can be used at the login screen as well. I have confirmed that.

However, I had already confirmed access through the System Preferences screen BEFORE I tested it at the login screen. So, the question is "can you get root access without a password at the login screen without having obtained access at the System Preferences screen."

 

[blakenz]

Umm yeah actually if you'd read the article, it is an issue. If you have a High Sierra computer that someone can walk up to, or steal if it's portable, then all they need is the login screen to come up after powering on and in they go as root with no password. This isn't an issue of intentionally enabling a passwordless root account, Apple has done that for us.

Although by default you can't enter a username at the login screen, you have to choose one of the normal accounts.