macOS High Sierra ‘root’ security issue allows admin access without a password—but there’s a fix

macOS High Sierra ‘root’ security issue allows admin access without a password—but there’s a fix

On Tuesday, a macOS 10.13.1 security issue was revealed—a flaw that allows root access to a Mac without the need for a password. Developer Lemi Orhan Ergin tweeted that anyone can log into a Mac by entering the user name root without a password. The first time you try to login, it won’t work. But if you try it again, you will be granted access. Here’s Erign’s tweet:

As Apple’s support document notes, root is a “superuser” that grants access to areas of the system that are often used by system administrators.

At Macworld, we tried it on our own MacBook Pro running macOS 10.13.1, and the root login worked. See the video below.

This issue seemed to work only after you are logged into a Mac under a different user name. I wasn’t able to use root and no password at the Mac’s user login screen that appears at startup.

An Apple spokesperson sent Macworld the following statement:

We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.

How to fix the root security issue

This hole will probably be fixed in a future macOS High Sierra update. In the meantime, there are steps users can take to fix the hole. The fix is to change the password for root. Here’s how.

1. In the Finder, click on the Go menu and select Go to Folder.

finder go gotofolder.jog IDG

2. Enter the following: /System/Library/CoreServices/Applications/ and then click Go.

go to core services IDG

3. Find the Directory Utility app and launch it.

directory utility icon IDG

4. Click the lock in the lower left to make changes. In the pop-up window, enter your user name and password, then click Modify Configuration.

directory utility make changes IDG

5. Click on Edit in the menu bar and select Change Root Password.

6. In the pop-up window, enter a password and verify it. Click OK.

root change password IDG

7. In the main window of Directory Utility, click the lock to lock it and prevent further changes.

8. Quit Directory Utility. You are done.

If you try to enter root without a password at a login prompt, the prompt will shake and reject your login. You’ll need to enter your new password to gain root access.

IDG Insider

PREVIOUS ARTICLE

«Civilization VI's Rise and Fall expansion will let you seize cities without unleashing war

NEXT ARTICLE

How IBM is preparing for GDPR»
author_image
IDG Connect

IDG Connect tackles the tech stories that matter to you

Add Your Comment

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.

images

Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.

images

Poll

Will Kotlin overtake Java as the most popular Android programming language in 2018?