Security

Flaw in macOS High Sierra gives anyone root access, and here's the fix

The vulnerability allows an attacker to log in as an admin using a blank password. You must set a root password to protect the machine.

On Tuesday, a software engineer discovered a major macOS High Sierra security flaw: Anyone can log into an admin account by typing the username "root," with no password—leaving all up-to-date Macs open to attack.

The root admin login works on both locked and unlocked Macs, researchers found. ZDNet, AppleInsider, and many others have confirmed that the vulnerability is functional and extremely easy to take advantage of.

All versions of High Sierra contain the flaw, including version Beta 5 that was released on Tuesday, AppleInsider noted.

Apple is working on a software update to fix the issue, a spokesperson said. In the meantime, users should set up a root password, which prevents unauthorized access to a Mac.

SEE: Information security incident reporting policy (Tech Pro Research)

Here's how to enable or disable the root users, according to Apple Support:

  1. Choose Apple menu > System Preferences, then click Users & Groups (or Accounts).
  2. Click lock icon, then enter an administrator name and password.
  3. Click Login Options.
  4. Click Join (or Edit).
  5. Click Open Directory Utility.
  6. Click lock icon in the Directory Utility window, then enter an administrator name and password.
  7. From the menu bar in Directory Utility: Choose Edit > Enable Root User, then enter the password that you want to use for the root user. Or choose Edit > Disable Root User.

If a root user is already enabled, you should follow these instructions to change the root password and ensure a blank password is not set, according to Apple:

  1. Choose Apple menu > System Preferences, then click Users & Groups (or Accounts).
  2. Click lock icon, then enter an administrator name and password.
  3. Click Login Options.
  4. Click Join (or Edit).
  5. Click Open Directory Utility.
  6. Click lock icon in the Directory Utility window, then enter an administrator name and password.
  7. From the menu bar in Directory Utility, choose Edit > Change Root Password...
  8. Enter a root password when prompted.

This is not the first security issue identified on Macs this year. In September, an iOS security flaw called LeakyX caused Exchange credentials to be transmitted without encryption—even if SSL was enabled. That month, a former NSA hacker found that in macOS High Sierra, a flaw allowed people to steal the entire contents of the Keychain with an unsigned app. And many Macs may include firmware vulnerabilities and are susceptible to attacks, according to a report from Duo Security.

For more data security and privacy tips for iOS, click here.

macos-high-sierra-image.jpg
Image: CNET

Also see

About Alison DeNisco Rayome

Alison DeNisco Rayome is a Staff Writer for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.

Editor's Picks

Free Newsletters, In your Inbox