By Dan Moren

November 28, 2017 1:08 PM PT

Developer goes public with macOS root vulnerability

Note: This story has not been updated for several years.

Developer Lemi Orhan Ergin uncovered a vulnerability in macOS High Sierra allowing access to the root superuser account without a password:

Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?

— Lemi Orhan Ergin (@lemiorhan) November 28, 2017

Unsurprisingly, that news has quickly rippled through the Apple community as many people—including yours truly—have verified the claim. You can test it for yourself by going to any locked System Preferences pane, trying to unlock it, and entering username root with no password. (The number of tries varied for me—sometimes it worked on the first attempt, but pretty much always by the second.)

Obviously, this isn’t great, and the manner of disclosure didn’t help much either. Usually it’s advisable to disclose these vulnerabilities privately to the vendor, so that it can patch any holes before malicious parties attempt to use them for their own gains. But that ship has sailed.

What can you do in the meantime? The easiest solution appears to be changing the password for root. To do so, in the Finder, use Spotlight to open the Directory Utility app¹ and go to Edit > Change Root Password. (If that option is currently grayed out, you may first need to choose Edit > Enable Root User.) Enter a new password when verified, preferably a strong one generated with Keychain Assistant, 1Password, or a similar tool.² At that point, you should be all set.

While this flaw is bad—you never want to give unfettered access to a user with root‘s power—the vulnerability doesn’t seem to be remotely exploitable, unless the attacker already has login credentials. (Logging in as root with no password via the login window or via SSH didn’t seem to work in my tests.) However, if somebody already has remote access to your machine, or has physical access, then this could be a worry.

Update: TidBITS proprietor and friend Adam Engst says he was able to log in as root with no password, even via screensharing, which makes this a much scarier flaw. I haven’t been able to duplicate his efforts, but it makes it that much more imperative that you change your root password.

Apple no doubt is working double time to get to the…root…of this flaw.³ In the meantime, however, you should change the root password on your Macs and make sure to secure physical access if you haven’t already. And above all, don’t panic.

Here’s the official word from Apple, supplied to us a little while ago:

“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”

Updated at 5:45pm Eastern to provide an easier way to open the Directory Utility.

[Dan Moren is the East Coast Bureau Chief of Six Colors. You can find him on Mastodon at @dmoren@zeppelin.flights or reach him by email at dan@sixcolors.com. His latest novel, the supernatural detective story All Souls Lost, is out now.]

If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.