[Update]: The issue has been fixed now.
Security researchers have identified a bug in Apple's macOS that affects even the latest version of the operating system. The security flaw enables anyone with physical access to a Mac to create a root account with no password by going through the System Preferences options.
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
All that an attacker with access to a machine needs is to follow these simple steps that merely take a few seconds:
- Open System Preferences > Users & Groups.
- Click on the lock icon in the bottom-left corner of the window.
- Type "root" in the username field.
- Place the cursor in the password field but leave it empty.
- Click on the Unlock button repeatedly until the user is created.
Wccftech has confirmed this security flaw on macOS High Sierra 10.13.1. It usually takes only two attempts to create a root user without any password and with full system privileges. It appears that the flaw can also be exploited remotely, as some researchers have said that once a root account has been enabled, it could be used to login on a vulnerable Mac without having physical access to it. If screen sharing is enabled, that too puts a user at risk of remote exploitation.
If certain sharing services enabled on target - this attack appears to work ? remote ??☠️ (the login attempt enables/creates the root account with blank pw) Oh Apple ???? pic.twitter.com/lbhzWZLk4v
— patrick wardle (@patrickwardle) November 28, 2017
While Apple has responded to the initial tweet with a routine "send us a DM tweet," it is also unclear if the researcher tried to report this to the iPhone maker before disclosing this vulnerability. For now, security experts have advised macOS users to create a user account with the name "root" and a password to avoid someone else exploiting this bug.
Apple might have acknowledged this macOS "bug"
In what appears to be a response to these reports, Apple has shared steps to disable or enable root account and to change password of that account. The support page has been published today and suggests that a root account is a superuser that is used to perform tasks that require access to "more areas of the system".
Here is how to change the password of a root account since it appears there already is one being shipped with every Mac without requiring a password.
- Choose Apple menu () > System Preferences, Users & Groups.
- Click the lock icon and enter an administrator name and password.
- Click Login Options > Join (or Edit).
- Click Open Directory Utility.
- Click the lock icon in the Directory Utility window and enter an administrator name and password.
- From the menu bar in Directory Utility, you can Enable Root User, Disable Root User, and Change Root Password.
The best way to avoid any security issues that might appear because of this flaw is to go to the above options, change root password, and then keep the account enabled. Some users have reported that disabling the root account resets its password too.
While Apple rarely comments on security issues, we will update this space if the company comments on this or if it releases any workaround to this system flaw with any future updates.
[Update]: Apple has said it is "working on a software update to address this issue" and has directed macOS users to the above instructions for setting a root password to prevent "unauthorized access to your Mac".