back to article Pro tip: You can log into macOS High Sierra as root with no password

A trivial-to-exploit flaw in macOS High Sierra, aka macOS 10.13, allows users to gain admin rights, or log in as root, without a password. The security bug can be triggered via the authentication dialog box in Apple's operating system, which prompts you for an administrator's username and password when you need to do stuff …

Anonymous Coward

In fairness, there don't seem ot be too many apologists for once. Presumably, this is so stupid that even Apple fans cannot think up a way to minimize it.

We're also not all "fanbois" or "apologists", but simply people who want desktops to work to an acceptable standard of safety and security, which until now happened to be easiest to achieve by using MacOS based systems. Frankly, I am both appalled and incensed by this and I feel rather let down by Apple that this ever made it past QC.

I expect more than just the usual silence from Apple on this. It is quite simply unacceptable - there ARE no excuses for this.

6
0
Silver badge

GOTO FAIL;

12
0
Silver badge
Happy

"GOTO FAIL;"

Now that was cruel.

Have an upvote. :-)

4
1
Silver badge

I knew there must have been a superfluous GOTO FAIL; in there.

1
0

I configured a root password AGES ago, perhaps way back when MacOS X was a new thing! Really who would fail to do such trivial security work?.........uh........forget I asked..........

3
2

Macs are consumer devices. The vast majority of users/owners aren't going to even know what root access is, and nor should they need to.

"IT people" who look down on users who don't have a professional level of IT knowledge and roll their eyes at them whenever this type of things happen just reinforce the Moss stereotype. A total failure to understand and therefore accommodate the user's average expected level (or lack) of knowledge is also a reason so many issues occur in the first place.

9
0
Devil

2017 Fail Award

I think we have a winner

8
0
Silver badge

AFK

I'll read the comments later. ☺

I'm off to play in the Apple Store! ☺

Only kidding! Honest! ☺

13
0
Anonymous Coward

Re: AFK

You're not one of those who'd go into Dixons and type the magic sequence of peeks and pokes into an Amstrad CPC464 (or whichever one it was, someone out there will know) that would render it a smoking ruin in a few minutes time?

(It was possible to get two peripherals driving the data bus at the same time - a logic design error. Get one of them trying to write all 0's, and the other all 1's, and you'd made a short circuit from software. Some chip would then get hot enough to let the magic smoke out...).

10
0

Re: AFK

Dragon 32 I thought?

1
0

Re: AFK

"a smoking ruin in a few minutes time?"

For real? What chip was sending smoke signals from that? (Never heard about this HCF before.)

1
0
Pirate

You're logging in wrong!

8
0
Silver badge

Possibly one of the worst oversights to date on any flavor of any OS

Considering the cost of a machine that you need to pay in order to have one that runs High Sierra (MACs are stupidly expensive for the specification) You would think that the manufacturer could engage in some basic testing of security.

With the numbers of people who own these items, there is no way that this wasn't found on the day of release by someone, and WILL have been used in a malicious manner.

There is a (good) argument that this OS is not fit for purpose and refunds should be given.

Luckely most organisations with MACs will also be using active directory or novell for their network infrastructure, and so a user having local admin privileges isn't that big an issue. That said, MAC users tend not to be that technical, claiming artistry over technology, and store all sorts of important stuff locally......

6
4
FAIL

Works for me first time on 10.13.1!

If you do not click in the password field, you cannot get in, at least I could not even after 3 attempts. But clicking in the Password field and leaving it blank let's me in right away. Oh Apple, really! TC is too focused on matters of the bedroom than product.

5
1
Silver badge
Windows

Other OS are available

I don't blame Mac owners for installing Windows 10. Secure by design.

6
7
Anonymous Coward

Absolutely not acceptable

Honestly, there are no excuses for this. WTF, Apple? WT freaking F?

Microsoft has at least the decency to hide its problems and make it a bit of a challenge. I have never seen a decent company so dramatically drop the ball in quite some time. Even Microsoft Vista wasn't that exposed from a security angle.

Whoever was responsable for this cockup, firing is too good for them. At a minimum, this ought to involve tar & feathers.

3
0
Silver badge
Meh

Only if....

You have enabled root previously. Root account should not be enabled in macOS.

Consider enabling root to be like jailbreaking or rooting your android. all bets are off? No?

0
12
Anonymous Coward

Re: Only if....

This is the thing. There is a root account. Active. With, apparently, no password. Why on earth there hasn't been a randomised one set (as you have sudo access anyway) is not clear to me and I am disappointed that someone at Apple made that mistake. This is NOT trivial, and I expect fairly harsh words and probably a pink slip event as a consequence for one or more people.

4
0

Rooster

Who was that apple bashing user, named rooster* ?

I’d love to hear his take on this

0
0
Silver badge

Imagine if the space ship in 2001: A Space Oddessy used this version of macOS.

"I can't let you do that Dave"

*clicks unlock a few times*

"OK Dave, here you go."

13
0

This post has been deleted by its author

All aboard the fail bus

I have to agree with some folk here, since Johnnie Ives took over Mac OS it has got steadily worse (I still don't know how he got involved with the Apple with the fail that was the PowerBook G4, maybe Steve liked it's flimsy disposable build quality)....

iOS has become absolute rubbish under his design leadership, used to love my iPhone, now can't wait to dump it for an Android phone (I don't have to jail break Android to get basic UI features that should be on all UI designers lips...)

And this 0day root access flaw is just another example of how Apple are not focused correctly...

7
2
Silver badge

Simple workaround

Don't buy a Mac.

8
2

Re: Simple workaround

Better than that (not everyone wants Wobbly Windows); take a pro's advice (I'm not one, but took it anyway); run the previous or 2nd previous major OS version for stability if it's supported and you don't need the latest and greatest features.

I'm sure El Capitan and Sierra are supported on most Macs that are still in active Apple Support lifecycle.

6
0
Silver badge

Re: Simple workaround

Are we certain the previous versions aren't susceptible to the same problem? I often wonder how issues like this pop up suddenly.

0
0

Re: Simple workaround

If you don't want Windows, Linux is a better option.

Running old versions of OS isn't really a good option, due to the fact that Apple cuts support very quickly.

4
0
Silver badge

Physical access is a problem

with a server. I dont know if there is a single installation of the leaky OS on a server anywhere in the world tho. Access to a laptop is normally, to use the technical term, a piece of piss.

0
0
FAIL

Changing/disabling the root account doesn't work via Directory Utility! You have to use Terminal. OMG, what a fuck-up!

1
3

Not all installs of High Sierra are affected

I have checked a dozen mac's with High Sierra version 10.13.1 and not all installs appear to be affected, only 1 out of the 12 has a blank root password. I have reset the root password on all devices anyway however, I am struggling to see why only 1 of the 12 has this condition? Any thoughts other than someone else reset the password?

3
0

Re: Not all installs of High Sierra are affected

...only 1 out of the 12 has a blank root password. I have reset the root password on all devices anyway however, I am struggling to see why only 1 of the 12 has this condition? Any thoughts other than someone else reset the password?

Total guess, but perhaps if you've upgraded the OS then you'd have a root password set previously, whereas a fresh install fails because of a bug in the new installer?

At risk of #whataboutism, there was an issue with Ubuntu way way way back, where the installer stored the root password in a temporary file and then failed to delete it after install. Leaving it world-readable. That, from a technical standpoint, was similarly embarrassing!

To be fair, it was fixed quickly. And Canonical's entire annual development budget was probably a pittance compared with Apple. But embarrassing bugs are embarrassing. And for some reason I always remember those ones.

Heh... in many ways, far far worse! ;-)

1
0
Thumb Up

Great pic

#positivefeedback

1
0

One more aple gadget that fails in use.

0
0
Silver badge

If you type in "root" as the username, leave the password box blank, hit "enter" and then click on unlock a few times, the prompt disappears and, congrats, you now have admin rights. You can do this from the user login screen, too.

Wow just wow!

5
0
Facepalm

Reality distortion field

"However, a member of Apple's support forums had posted details of the flaw more than two weeks ago, though the message appears to suggest the vulnerability could be a useful feature for troubleshooting rather than a critical security threat."

The force is strong.

7
0
Silver badge

Bug?

"If you have configured a root password, the above blank password trick will not work."

So if root doesn't have a password, you can log on to root without a password. Isn't that how it's supposed to work?

That doesn't mean there isn't a bug, though - the bug is instead in the procedure for installing the operating system on the computer, which apparently fails to notify the user that having a password on root is recommended.

Oh, wait, Macintosh computers come with the operating system preinstalled, don't they? But isn't there still some sort of personalization program you go through when you use the computer the first time? That's what should be fixed; being allowed to not have a root password may be a feature that is too risky to leave in, but it isn't really a bug in itself.

0
1
Silver badge

Re: Bug?

No, what's supposed to happen is that the root account doesn't exist.

This is a consumer product. The intended users don't even know what root *is*.

1
0
Happy

and this is why...

we advise people NOT to update to the latest and greatest version of macOS until all these problems have been fixed.. and yes, that may mean we keep our customers on 10.12.6 for up to 6 months post release, but this and all the other issue with 10.13 are making look a lot like 10.7 (shudder).

Better to have a working, stable, supportable release for a production machine, than jumping on the bleeding edge..

4
0

https://twitter.com/petef4/status/935893902397190144

1
0
Mushroom

Again?

I forget the version now, but at least one old version allowed you login in as root with no password by just choosing to log in as another user.

0
0
FAIL

It Just Works

I tried it, and, It Just Works.

3
0

Yet more proof that Apple doesn't care even slightly about security. And they can get away with it. Why? because of low market share and lack of businesses using Mac OS. Seriously, if this was a bug in Windows it would be on the front-page of every news outlet in the country.

Overall though, this is a symptom of Apple's attitude about Mac OS. They clearly don't care anymore and it leaves me wondering if they're going to discontinue Macs 5-10 years down the line. They keep reducing the product line and updates are coming slower and slower. X-Serve, dead. Mac Pro, 4 years old. Mac Mini 3 years old. iMac 3 years (although a new one is coming 3 years a a huge wait). All tower Macs are dead, and even the laptops miss CPU updates.

3
1

This is what happens when you have to have a new version of the OS every year, and skimp on the testing to make the deadline. (Someone else has probably already said this)

1
1

Patch now available

https://support.apple.com/en-us/HT208315

3
0

Re: Patch now available

That was fast. As embarrassing as this bug may be, at least Apple patches severe issues very quickly.

2
0

Re: Patch now available

Yes, well, it was fast but according to reports it also broke SMB sharing between High Sierra machines.

The workaround is (drum roll) to use sudo at the command line to run some obscure utility in libexec.

It seems to me not so much a lack of testing—probably testers would never have thought of that anyway—but someone monkeying around in the code without having a deep understanding of how it works.

High Sierra was supposed to be a maintenance/performance release, with a new filesystem and window manager. It's hard to see how any of the touted changes could have required messing around with the login logic. Someone needs to put an iron fist down and limit the changes in each release to what's necessary, and in particular to forbid random reimplementations of modules just because they're not in Swift or not yet common to iOS.

1
0

Sure...

It's a bug,*eyeball roll* just like the SSH "bug" a few years back.

0
1
Meh

...

We need a new Apple.

0
0
Anonymous Coward

Can't believe they were dumb enough to leave the root password blank

Many years ago when I was a spotty teenager, I hacked into the local university's PR1ME computers because of a similar stupidity. They had SYSTEM (i.e. root) accounts on some of them without a password. Since they didn't have a project (i.e. resources for CPU time, storage, etc.) assigned if you tried logging in as SYSTEM it would immediately log you out - the equivalent of setting the shell to /bin/false on Unix.

However, when I was exploring I found out about a command called 'arid' - add remote ID - which would enable you to visit the filesystem of another network connected PR1ME from the one you logged into, and you'd have the rights of the remote ID you'd given in 'arid' instead of your own rights. So basically I was SYSTEM on the ones that had a blank password. I was able to use that permission to run the user creation program and create myself a system level account and used the project number of one of their sysadmins who had nearly unlimited resources. That enabled me to login and have ability to do anything I wanted (which really wasn't much, I wasn't causing any damage)

Took them a while to catch me since I was dialing in and they didn't have caller ID on their PBX. I think at some point I was lazy and logged in to my created account on the same phone call I had logged in to my dad's account instead of disconnecting and redialing like I always did. Their main interest when they caught me was finding out how I did it, and I have to admit I enjoyed seeing the hand hitting forehead moment for the head guy when I told him it was because of there was no password set on some of the system accounts, and he said "but you can't login to them" and I told him about 'arid' :)

1
0

Don't keep your Mac in a Merc

So things I've learnt this week about security:

1. Disable remote access

2. Don't keep your Mac in a Merc http://www.bbc.co.uk/news/uk-england-birmingham-42132689

1
0
FAIL

Apple's guidance not quite correct - do not disable the root user!

Apple's guidance isn't quite correct. They say "you should disable the root user after completing your task". However, if you set a root password, then disable the root user, it resets the password back to blank and reintroduces the vulnerability.

You need to set a root password, then make sure you leave the root account enabled. Only then do you defeat the vulnerability.

2
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018