Root login without password allowed by default on Mac OSX High Sierra

Mattias Geniar, Tuesday, November 28, 2017

Right, this isn't a good day for Apple.

As first reported on Twitter by Lemi Orhan Ergin, you can bypass just about any security dialog on Mac OSX High Sierra (10.13) by using the root user without a password.

Use the user root and click Unlock several times, you'll eventually bypass the dialog and be granted root privileges. You can try it if you go to the Users & Groups settings screen and click Lock at the bottom.

I'd be very curious to know the technical reasons why this was possible in the first place.

Update: be sure to disable the root user after test

Turns out, testing this actually creates a root user without a password in the background! Make sure to disable the root user in System Preferences to prevent this from getting any worse than it already is.

For a quick workaround, set a non-default (aka: anything) password on the root user via the terminal.

$ sudo passwd -u root

Once a password has been set, it wont change to an empty value anymore.

Also applicable to Remote Management

If you've enabled Remote Management, anyone can log into your Mac using the root user with an empty password.

Woops.

Responsible disclosure?

This issue was first reported on Twitter and is now getting widespread traction. This isn't exactly a good way to disclose security issues, but I'm willing to bet the reporter perhaps didn't think it would go this far in the media?

There's an entire KB about reporting security issues to Apple, if someone ever feels the need to report similar security bugs.



Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek, public speaker and podcaster. Currently working on DNS Spy. Follow me on Twitter as @mattiasgeniar.

I respect your privacy and you won't get spam. Ever.
Just a weekly newsletter about Linux and open source.

SysCast podcast

In the SysCast podcast I talk about Linux & open source projects, interview sysadmins or developers and discuss web-related technologies. A show by and for geeks!

cron.weekly newsletter

A weekly newsletter - delivered every Sunday - for Linux sysadmins and open source users. It helps keeps you informed about open source projects, Linux guides & tutorials and the latest news.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *