Serious macOS High Sierra security vulnerability - root user with no password

A serious vulnerability has been found in macOS High Sierra - something I have no clue how could have ever happened. The main problem with this issue is, that it really doesn't require any computer knowledge at all to take advantage of. Your grandparents can do it, given they are able to move the mouse and use the keyboard (most non-techie users I know these days have finally learned this).

For some odd reason, the user "root" has no password!!!

This means: anyone with access to your computer can login as administrator using no password. The username is root and the password is blank. Blank is in total blank. Not "blank". Yes. That's right. BLANK.

What can a root user do?

  • Access your other user accounts
  • Disable Local Disk Encryption (FileVault)
  • Disable firewalls
  • Basically, he is GOD on your computer, and can do whatever he wants.

What you need to do

Apple is working on a fix, but there's no time to wait. Please go ahead and change the root password to a strong password. See Apples Guide how to.

Some people advise to disable the root account, but this is misunderstood. If you disable the root account, you can reenable it again using a failed login attempt. Whatever you enter as password in the failed attempt, will now be the new password for the root user.

If you're familiar with the terminal, you can simply run this command:

cat /dev/urandom | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 60 | xargs -I rootpw sudo dscl . -passwd /Users/root rootpw

This is serious.

It is even possible to remotely access your MacBook if you have this feature enabled, so go do something about it.

Comments