Stupid, stupid MacOS security flaw grants admin access to anyone

UPDATED: The latest version of macOS includes a mindlessly simple, one-step way to take over any Mac.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Video: High Sierra's biggest changes aren't visible

Update: Apple fixes macOS password flaw

Apple, Apple, Apple. What are we going to do with you? In your most recent High Sierra macOS release, it turns out you've given a way for any local user to take over a Mac -- lock, stock, and two smoking barrels.

Go over to your Mac running High Sierra and try this: Wake it up and go to your login screen. Now check "Other User" and entered root as the username and leave the password empty. You may very well find that you just logged into your system as the root user, that is the administrator. You now own that box.

That means if you stole a Mac, or just get physical access to one while the owner is away, you own all the data on it. Can you say bad? I knew you could.

This is an all-time security failure. I cannot think of anything to match it. All Macs running up-to-date macOS are wide-open for attacks.

This exploit doesn't require any mad NSA-type hacker skillz. If you can use a keyboard you can get in.

In the original version of this security hole it was found that all you had to do is go to System Preferences, then Users and Groups, and click the lock to make changes. Then, enter "root" as your username without a password. Shazam! You're in.

As on any Unix/Linux-based system, the root user can control all administration functions and can read and write to any file system, including those of other users. In theory, root is disabled on Apple systems unless expressly authorized. Wrong!

Once in, you can edit your own permissions. For example, want to give yourself administrator privileges? Sure! Or, you can set up new administration-level accounts. Once you've done that, you can do anything your heart desires within the system.

Turkish developer Lemi Orhan Ergin discovered this variation of the flaw and announced Apple's remarkably stupid security mistake on Twitter.

I, and numerous others, have checked it. We've found that the hole is just as bad as you'd think. The problem has been confirmed to exist in macOS High Sierra 10.13.0, 10.13.1 (the current High Sierra release), and the macOS High Sierra 10.13.2 beta.

It first appeared that couldn't hijack a system using this trivial trick remotely. Since then, Will Dormann, a CERT/CC vulnerability analyst, reports found "If you have exposed "Screen Sharing," you can allow people into your machine with full GUI access, using no password." In addition, Dormann discovered "Apple 'Remote Management' also has the same exposure. If 'Control' is enabled, that gives full interactive remote root access to a system, without requiring a password."

Apple has confirmed the problem exists. In a statement, Apple said that adding a password for root would fix the problem. An Apple spokesperson added, "We are working on a software update to address this issue."

This makes four -- count them, four -- password-related security problems since High Sierra was released in September.

For the time being, you must -- must -- set a password for the root account. You can do this with the following command from the terminal:

sudo passwd -u root

Once you've set a password for root, the blank password trick won't work.

So, what are you waiting on? Set the root password already!

Related stories:

Editorial standards