1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Mac High Sierra allows trivial creation of a root account

By Greg S
Nov 28, 2017
Post New Reply
  1. An embarrassingly large security flaw has been discovered on Macs running the newest version of High Sierra, version 10.13.1. Apparently, any person can force the creation of a root account simply by entering "root" as the username when elevated permissions are requested.

    Opening Preferences and attempting to access a panel that is locked will open a dialog requesting administrative permissions. Normally, your own username and password would be required but logging in as root and leaving the password field blank will bypass this prompt with ease.

    Before you go trying this on your own Mac, realize that doing so creates a root level account that must be disabled to prevent future exploits from taking advantage of it. The vulnerability was publicly reported by Lemi Orhan Ergin on Twitter.

    This exploit is best achieved with physical access to a machine running version 10.13.1 but there is no reason why this could not be automated and executed remotely if code execution is possible. A regular user has full control over any Mac with this vulnerability in place.

    Due to the nature of this security issue, it is advised that you are very careful who has physical access to your machine. There is no skill required in taking advantage of the problem, allowing anyone to do as they please with your hardware.

    As a temporary fix, you can intentionally create the root account and then reset its password to a secure password. This may not fully secure your system against further exploits but it may be better than doing nothing at all.

    Permalink to story.

  2. jobeard

    jobeard TS Ambassador Posts: 12,223   +1,363

    Correct - - create the account and then give it a good password.

    BTW: Before you over react:
    • windows has a similar exposure in activating the Administrator account
    • having physical access to the machine is usually a requirement not easily circumvented
    • most of the time, a null password is not allowed for the Admin or Root account -- apparently this time it's not the case :sigh:
  3. bexwhitt

    bexwhitt TS Guru Posts: 380   +85

    I regularly activate the vista/7/8/8.1/10 administrator account and sure it should NEVER be used for general use. How you get access to it is easy (with the knowledge) but not available to the normal user and you need access to an administrator command line to activate it.

    The all access Administrator account is for solving problems, needed and risky in some hands.

    BTW I always deactivate it after I've done the task I needed it to do.
    jobeard likes this.
  4. jobeard

    jobeard TS Ambassador Posts: 12,223   +1,363

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...