Serious macOS Bug Allows Anyone to Get Full Access to Your Mac

A serious vulnerability in macOS High Sierra as disclosed yesterday. It allows anyone with physical access to your Mac to log in as the “root” user, without entering a password. The root user is the super-user, the one that can do anything on your Mac. Root has more power than an administrator, and can view all the files of all users.

For some reason, macOS High Sierra seems to have a root account set up with an empty password; so you just log in with “root” as user name and leave the password field blank. You may need to try this several times, but lots of people have tested and shown that it works in most cases. The exception is if you have FileVault enabled, since that requires a different password to unlock a disk. However, if your disk is already unlocked, then the root vulnerability can be exploited. (Note that this doesn’t affect older versions of macOS.)

As Adam Engst wrote on TidBITS, “The reason this shouldn’t work is that the root user isn’t supposed to be enabled.” By default, this account is not set up; or shouldn’t be. Adam’s article explains how you can protect yourself from this vulnerability; you simply have to enable the root account and add a password.

This vulnerability only affects your Mac if someone has physical access, or if they can connect via Screen Sharing (which you would need to activating in the Sharing pane of System Preferences).

One note about the way this was disclosed. A developer shared this on Twitter, effectively making it a zero-day vulnerability which people need to defend. Instead of reporting it to Apple, he chose to go public, which, for this type of bug, is harmful. Since he is a developer, he could certainly have figured out how to report it responsibly (it’s not hard to find Apple’s Contact Apple About Security Issues page and the address. The developer might have been frustrated by Apple’s impractical bug reporter, but that’s no excuse. You simply don’t go public with vulnerabilities this serious.