This post is a public service announcement for all users of macOS High Sierra (10.13).
(Note: Apple has already released a fix, but if you do not have automatic updates enabled, this may still affect you.)
If you didn’t hear about it already, a major security flaw was discovered last week in how the root user account works on macOS High Sierra.
Although the root account is disabled by default, simply trying to use it to log into any Mac will enable the account. The problem is that whenever the root account is disabled, its password is cleared.
The attack works by using the root account (with a blank password) more than once: the first time reactivates the account, and the second time logs you in without a password as the highest-privilege account on the machine. It’s as powerful as the Administrator account on Windows.
Any unpatched Mac with a disabled root account is vulnerable. The attack works on the physical machine, as well as over a network via the remote desktop connection.
Before the security patch was installed, I was able to reproduce this problem, firstly in System Preferences on my own MacBook Pro, and secondly on another iMac using the Guest account.
Reports suggest that this only affects people who upgraded to High Sierra and won’t affect you if you have a fresh install. However, it is a good idea to make sure you have the latest security update through the Mac App Store. If you are unable to run updates, you can mitigate this vulnerability by enabling the root account and changing the password, or asking your network administrator to do this for you.
This incident reminded me that SQL Server used to be shipped with a blank system administrator password in the old days. Someone on Twitter also reminisced that a login screen on older versions of Microsoft Windows could be bypassed by pressing the
It’s very interesting how attitudes to software security have changed, mostly for the better. While this is a shocking bug for an operating system like macOS, it is a stark reminder that no software is perfect.
Kudos to Apple for releasing a patch so soon after the discovery, and to Microsoft for its security initiatives after Bill Gates wrote his infamous Trustworthy Computing memo.
Feel free to discuss massive security holes with me on Twitter at @bornsql.