Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated]

[foxlet]

In this case, only certain builds of macOS are affected, some which I tested here:

macOS Sierra
10.12.6 (16G29) - Not Affected

macOS High Sierra
10.13 Beta (17A291m) - Not Affected
10.13 (17A365) - Affected (1 out of 2 machines allowed root access)
10.13.1 (17B25c) - Affected
10.13.1 (17B48) - Affected (Tested by redheeler)
10.13.2 (17C79a) - Affected (Tested by Feenician - needs two tries)
10.13.2 (17C83a) - Affected (Tested by redheeler)

 

[BaccaBossMC]

Took a couple of tries, but I got it to work on my MBP running the latest Beta. Apple needs to fix this ASAP.
Edit: I tried the recommended fix of adding a root user, and it prevents me because there already is a user with that name.

 

[Zarniwoop]

Demo machines are going to be hax0red so bad at every store.

 

[bbfc]

Although by default you can't enter a username at the login screen, you have to choose one of the normal accounts.

I was thinking that.

 

[PhillyGuy72]

I.T have no idea what is heck is happening with Apple lately!!?

 

[Feenician]

In this case, only certain builds of macOS are affected, some which I tested here:

macOS Sierra
10.12.6 (16G29) - Not Affected

macOS High Sierra
10.13 Beta (17A291m) - Not Affected
10.13 (17A365) - Not Affected
10.13.1 (17B25c) - Affected

10.13.2 Beta (17C79a) - Affected. You have to enter the credential twice (once then once in a popup)

 

[317342]

Running 10.13.1 on 2017 15" TB MBP. First time, "root" didn't work; the second time, it did.

This is not good. Does this allow anyone to get past initial login, or just after Admin user is logged in?

 

[pdaholic]

Apple should start entomology research, as it seems to specialize in...bugs.

 

[fireguy286]

I.T have no idea what is heck is happening with Apple lately!!?

Not sure if this was intentional or accidental but it really drives the point home...

 

[Zarniwoop]

Has anybody tried ssh remote control? Does this work there as well?

 

[redheeler]

In this case, only certain builds of macOS are affected, some which I tested here:

macOS Sierra
10.12.6 (16G29) - Not Affected

macOS High Sierra
10.13 Beta (17A291m) - Not Affected
10.13 (17A365) - Not Affected
10.13.1 (17B25c) - Affected

Add 10.13.1 17B48 and 10.13.2 Beta 5 17C83a to the affected list as well - probably all builds of 10.13.1 and 10.13.2 to date are affected.

 

[ehrens]

Totally worked on my end. Changed root pwd via terminal.

Apple, time to move on to 10.14. Version 13 is plainly cursed.

 

[JosephAW]

Wiping my test partition of 10.13.1 until the supplemental update comes out.

 

[Dragon M.]

The login issue doesn't show up unless you follow these Mac Rumors instructions. By following the Mac Rumors instructions, it looks like you're creating a root account with no password. When you create a root (or any other hidden account), only then will the Other option show up and be a major security issue.

Anyone who tries this should disable the root account and the issue isn't as bad (again).

 

[poppy10]

So it requires physical access to a Mac that's not just "unlocked" but that has the Users dialogue open with the padlock showing that the pane is unlocked as well. So, no risk if no one else has physical access to the machine or those that do don't know the password. Not exactly like anyone can log in with root, requiring no unlocking at all. So, a bug? Yes. A catastrophic and highly embarrassing failure? Not really.

Fine

Go into your local Apple store
Open up SystemPreferences>Users and Groups on one of the Macs
Click the padlock and get root access via this vulnerability
Now you have full root access and can wipe the mac, install malware or do whatever you want

 

[Hennesie2000]

Turn off the "Other" user on the lock screen using the command

dsenableroot -d

 

[LCPepper]

A gentle redeeming "feature" is that if you have FileVault enabled, and the usual picture login screen, you can't enable it by using the guest account because it boots into a secure Safari only environment, and you can't access the User and Accounts settings from there.

 

[arkitect]

Ooops!
Replicated.

Using root as username it unlocked on the 2nd attempt (1st unlock got the shaking head window.)

Oh dear Apple.

Edit: System Version: macOS 10.13.1 (17B48)

 

[redheeler]

Although by default you can't enter a username at the login screen, you have to choose one of the normal accounts.

Most workplaces/schools require both a username and password at the login screen. Can only imagine what a nightmare this could be for the admin, though I would assume the smarter admins haven't yet updated the Macs to High Sierra...

 

[JosephAW]

Totally worked on my end. Changed root pwd via terminal.

Apple, time to move on to 10.14. Version 13 is plainly cursed.

Apple's "Vista", where is "PC" when we need him?

 

[cw75]

Didn't work the first time, but all subsequent tries after that did in fact work for me.

 

[rw0926]

There appears to be a serious bug in macOS High Sierra that enables the root superuser on a Mac with with a blank password and no security check.

The bug, discovered by developer Lemi Ergin, lets anyone log into an admin account using the username "root" with no password. This works when attempting to access an administrator's account on an unlocked Mac, and it also provides access at the login screen of a locked Mac.

To replicate, follow these steps:

1. Open System Preferences
2. Choose Users & Groups
3. Click the lock to make changes
4. Type "root" in the username field
5. Move the mouse to the Password field and click there, but leave it blank
6. Click unlock, and it should allow you full access to add a new administrator account.

At the login screen, you can also use the root trick to gain access to a Mac after the feature has been enabled in System Preferences. At the login screen, click "Other," and then enter "root" again with no password.

This allows for admin-level access directly from the locked login screen, with the account able to see everything on the computer.

It appears that this bug is present in the current version of macOS High Sierra, 10.13.1, and the macOS 10.13.2 beta that is in testing at the moment. It's not clear how such a significant bug got past Apple, but it's likely this is something that the company will immediately address.

Until the issue is fixed, you can enable a root account with a password to prevent the bug from working. We have a full how to with a complete rundown on the steps available here.

Article Link: Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix

I think there is a little more to it than that. I'm using one beta behind the latest beta and it doesn't do it for me. When I try to authorize it prompts me for my user's password. Perhaps there are certain circumstances where this will work? ie. users's account has a blank password, etc I haven't tried logging in yet but I don't think that is going to work either.

 

[jmaluso]

Not working on my 10.13.1 machine with FileVault enabled but it is working on my 10.13.2 beta 4 test machine without FileVault enabled.

 

[JosephAW]

I was thinking that.

PensDevil says "Select the option to show a list of Users to choose from at the login screen. When that screen appears, press the down arrow once to highlite whatever user happens to show up. Next, hold down the "Option" key and press "Return". The login screen should ow prompt you for a user name and password."
root, tab key, hit return, Boom, your in.

 

[foxlet]

Add 10.13.1 17B48 and 10.13.2 Beta 5 17C83a to the affected list as well - probably all builds of 10.13.1 and 10.13.2 to date are affected.

Unfortunately, I just managed to get it to work on a separate machine running the retail 10.13 (17A365) release, so it might predate 10.13.1, although with a lower chance of success?