A newly-discovered vulnerability in macOS High Sierra allows anyone with access to your laptop to quickly create a root account without entering a password, bypassing any security protocols you have set up.
It’s easy to exaggerate security problems. This isn’t one of those times. This is really bad.
You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
How the Exploit Works
Warning: do not do this on your Mac! We’re showing you these steps to point out just how simple this exploit is, but actually following them will leave your computer insecure. Do. Not. Do. This.
The exploit can be run in many ways, but the simplest way to see how it works is in System Preferences. The attacker needs only to head to Users & Groups, click the lock at bottom-left, then try to log in as “root” with no password.
The first time you do this, amazingly, a root account with no password is created. The second time you’ll actually log in as root. In our tests this works regardless of whether the current user is an administrator or not.
This gives the attacker access to all administrator preferences in System Preferences…but that’s only the beginning, because you’ve created a new, system-wide root user with no password.
After going through the above steps, the attacker can then log out, and choose the “Other” option that appears on the login screen.
From there, the attacker can enter “root” as the username and leave the password field blank. After pressing Enter, they’ll be logged in with full system administrator privileges.
They can now access any file on the drive, even if it’s otherwise protected by FileVault. They can change any users’ password, allowing them to log in and access things like email and browser passwords.
This is full access. Anything you can imagine an attacker can do, they can do with this exploit.
And depending on which sharing features you have enabled, it could be possible for this to happen all remotely. At least one user triggered the exploit remotely using Screen Sharing, for example.
If certain sharing services enabled on target – this attack appears to work 💯 remote 🙈💀☠️ (the login attempt enables/creates the root account with blank pw) Oh Apple 🍎😷🤒🤕 pic.twitter.com/lbhzWZLk4v
— patrick wardle (@patrickwardle) November 28, 2017
If you have screen sharing enabled it’s probably a good idea to disable it, but who can say how many other potential ways there are to trigger this problem? Twitter users have demonstrated ways to launch this using the Terminal, meaning SSH is a potential vector as well. There’s probably no end of ways this can be triggered, unless you actually set up a root account yourself and lock it down.
How does this all actually work? Mac security researcher Patrick Wardle explains everything here with a lot of detail. It’s pretty grim.
Updating Your Mac May or May Not Fix the Problem
As of November 29, 2017, there is a patch available for this problem.
But Apple even messed up the patch. If you were running 10.13, installed the patch, then upgraded to 10.13.1, the problem was reintroduced. Apple should have patched 10.13.1, an update that came out a few weeks earlier, in addition to releasing the general patch. They did not, meaning some users are installing “updates” that roll back the security patch, bringing back the exploit.
So while we still recommend updating your Mac, you should probably also follow the steps below to close the bug yourself.
In addition, some users are reporting that the patch breaks local file sharing. According to Apple you can solve the problem by opening the Terminal and running the following command:
File sharing should work after this. This is frustrating, but bugs like this are the price to pay for quick patches.
Protect Yourself by Enabling Root With a Password
Even though a patch has been released, some users may still experience the bug. There is, however, a manual solution that will fix it: you just need to enable the root account with a password.
To do this, head to System Preferences > Users & Groups, then click the “Login Options” item in the left panel. Then, click the “Join” button beside “Network Account Server” and a new panel will pop up.
Click “Open Directory Utility” and a new window will open.
Click the lock button, then enter your username and password when prompted.
Now click Edit > Enable Root User in the menu bar.
Enter a secure password.
The exploit will not longer work, because your system will already have a root account enabled with an actual password attached to it.
Keep Installing Updates
Let’s make this clear: this was a huge mistake on Apple’s part, and the security patch not working (and breaking file sharing) is even more embarrassing. Having said that, the exploit was bad enough that Apple had to move quickly. We think you should absolutely install the patch available for this problem and enable a root password. Hopefully soon Apple will fix these issues with another patch.
Update your Mac: don’t ignore those prompts. They’re there for a reason.