Massive Mac Flaw Gets Root Access in Seconds

UPDATED 9 p.m. EST Nov. 28 with comment from Apple, and 9:30 a.m. Nov. 29 with further details on how to break into a Mac.

A very simple task will let anyone gain permanent root access to Macs running macOS 10.13 High Sierra, earning easy access to all settings and data.

Credit: Guteksk7/Shutterstock

(Image credit: Guteksk7/Shutterstock)

First disclosed on Twitter earlier today (Nov. 28) by Turkish app developer Lemi Orhan Egan, the bug lets anyone, not just users with administrator privileges, get into System Preferences by clicking on the lock and typing in "root" as the username and leaving the password blank. That may take several tries, but it eventually goes through.

Then it gets dastardly. The above procedure creates a new user profile that presents itself as "Other" on the Mac's primary login screen. Type in "root" as the username, type in nothing for the password, and you will open an account with complete root access.

UPDATE: Other methods than the one outlined about activate the root account, as demonstrated in this YouTube clip that shows an attacker using Apple's Screen Sharing feature to remotely activate the root account on a Mac to which he's connected over a network. Nor must the root password be blank -- the attacker can in fact choose any password.

MORE: Best Mac Antivirus Software

We tested this procedure on both an old MacBook Pro and the latest MacBook Air, each running High Sierra. In both cases, we were able to run routine "periodic" diagnostic commands that would usually require temporary "sudo" privileges and an administrator's password -- but this time, with no "sudo" request or admin credentials at all.

On Twitter, Apple Support wrote to Egan: "Thanks for reaching out. Send us a DM, and we'll look further into this with you."

We reached out to Apple ourselves but did not hear back immediately. We will update this story if we receive a response.

Your Mac is now ready and willing to do anything. Credit: Andrew Freedman/Tom's Guide

(Image credit: Your Mac is now ready and willing to do anything. Credit: Andrew Freedman/Tom's Guide)

This is a massive security issue, as it would permit anyone to easily seize control of your laptop if they had even brief physical access. Even worse, this secret is now completely out in the open. Generally, flaws like this are disclosed privately to the company so they can be fixed without anyone taking advantage.

One way to prevent this would be to enable root access on your own, using the kosher method recommended by Apple in that link, and give the root account a password. Then you can go to the terminal to an type "dsenableroot -d" (without quotes) to turn off root access.

Anyone who tries to get in this way won't have the right password. If you want to turn root access back on, type "dsenableroot" in the terminal.

UPDATE: In a statement to MacRumors, Apple said that it was "working on a software update to address this issue." It then pointed users of macOS 10.13 High Sierra to the same Apple support page we've indicated above and suggested adding a password to the root account.

Best Mac Antivirus Software

TOPICS
Andrew E. Freedman

Andrew E. Freedman is an editor at Tom's Hardware focusing on laptops, desktops and gaming as well as keeping up with the latest news. He holds a M.S. in Journalism (Digital Media) from Columbia University. A lover of all things gaming and tech, his previous work has shown up in Kotaku, PCMag, Complex, Tom's Guide and Laptop Mag among others.

Latest in Internet
Windows
240 million Windows 10 users are vulnerable to six different hacker exploits — protect yourself now
Victims of Identity Theft
FTC says Americans lost $12 billion to scams last year and these were the worst ones — here's how to stay safe
ExpressVPN
Calling all students! Protect your online privacy with ExpressVPN's exclusive offer
White NymVPN logo on green graphic background
Introducing NymVPN – could this be the world's most secure VPN?
Apple iPhone 16 Plus Review.
Apple just released an emergency security update for a flaw used in an ‘extremely sophisticated attack’ — update your devices right now
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
Latest in News
Google Chromecast
Google has a fix for broken Chromecasts as long as you didn't factory reset
NYTimes Connections
NYT Connections today hints and answers — Friday, March 14 (#642)
Nvidia ACE
I played with Nvidia's AI NPC prototypes — now they're real, and I fear I'll never finish a game again
iPhone 17 Air vs iPhone 17 Pro Max
iPhone 17 Air vs iPhone 17 Pro Max: Biggest rumored differences
Intel CPU
Intel's Panther Lake appears in public for the first time — what we know about the new chip
OnePlus Pad 2 with keyboard
OnePlus Pad 2 Pro specs leak — this tablet is a beast