macOS High Sierra bug allows Admin access without password

Raz0rEdge

Well-known member
Staff member
Moderator
Joined
Jul 17, 2009
Messages
15,745
Reaction score
2,071
Points
113
Location
MA
Your Mac's Specs
2022 Mac Studio M1 Max, 2023 M2 MBA
There is a macOS bug that allows anyone with physical access to your machine to gain admin access without the password. The method of access is extremely easy so anyone can do it. Be sure to lock your computers when you are not using it then only you can unlock the machine.

Comments suggest that this might be fixed in the latest betas, so the bug might be short lived.

However, general good security practice is to set your screen lock to engage within a few minutes of inactivity and have it require your password to continue use.

Read more: https://www.macrumors.com/2017/11/28/macos-high-sierra-bug-admin-access/

To fix the issue before the next version of macOS is out, you can set the root password to avoid this problem.

Read here: https://9to5mac.com/2017/11/28/how-to-set-root-password/
 
Last edited:
Joined
Oct 16, 2010
Messages
17,496
Reaction score
1,541
Points
113
Location
Brentwood Bay, BC, Canada
Your Mac's Specs
2011 27" iMac, 1TB(partitioned) SSD, 20GB, OS X 10.11.6 El Capitan
There is a macOS bug that allows anyone with physical access to your machine to gain admin access without the password.


Well I don't have to worry with only my wife around in the house, and besides I haven't bothered to install Apple's "latest and greatest" macOS version, but good grief… how did they manage to miss this rather serious security booboo??? Just mind boggling. :-(

And why and how did it take so long to get discovered???




- Patrick
======
 
Joined
Apr 15, 2016
Messages
967
Reaction score
25
Points
18
Location
Canada
Your Mac's Specs
rMBP i7 mid 2012 macOS 10.12
I just came on to post this. Glad to see you guys are on the ball.
 

chscag

Well-known member
Staff member
Admin
Joined
Jan 23, 2008
Messages
65,248
Reaction score
1,833
Points
113
Location
Keller, Texas
Your Mac's Specs
2017 27" iMac, 10.5" iPad Pro, iPhone 8, iPhone 11, iPhone 12 Mini, Numerous iPods, Monterey
I read that earlier. However, it looks like Apple is aware of the "root" password back door entry and will close it off with 10.13.2.
 

chscag

Well-known member
Staff member
Admin
Joined
Jan 23, 2008
Messages
65,248
Reaction score
1,833
Points
113
Location
Keller, Texas
Your Mac's Specs
2017 27" iMac, 10.5" iPad Pro, iPhone 8, iPhone 11, iPhone 12 Mini, Numerous iPods, Monterey

dtravis7


Retired Staff
Joined
Jan 4, 2005
Messages
30,133
Reaction score
703
Points
113
Location
Modesto, Ca.
Your Mac's Specs
MacMini M-1 MacOS Monterey, iMac 2010 27"Quad I7 , MBPLate2011, iPad Pro10.5", iPhoneSE
Um, on my MBP I have the Beta 4 of 10:13:2 and tried till my hands hurt and root does not log me in. If it was an issue it's fixed and when the .2 update officially comes out the issue will be gone.

I have the iMac still at .1. going to try it there.
 
Joined
May 21, 2012
Messages
10,703
Reaction score
1,158
Points
113
Location
Rhode Island
Your Mac's Specs
M1 Mac Studio, 11" iPad Pro 3rdGen, iPhone 13 ProMax, Watch S7, 2018 15" MBP, AirPods Pro
I just tried on my mini, and it didn’t let me log in with root?
 

chscag

Well-known member
Staff member
Admin
Joined
Jan 23, 2008
Messages
65,248
Reaction score
1,833
Points
113
Location
Keller, Texas
Your Mac's Specs
2017 27" iMac, 10.5" iPad Pro, iPhone 8, iPhone 11, iPhone 12 Mini, Numerous iPods, Monterey
@macgig:

Be sure to read if there is already a thread of the same subject before you post. Merged your post together here with this one.
 
Joined
Nov 15, 2011
Messages
948
Reaction score
150
Points
43
Location
Toronto
Your Mac's Specs
MBP 16” M1max 32/1tb and bunch of other mac/apple stuff
This sort of thing always makes me glad I never update an OS until at least a few point releases are out!
 
Joined
Sep 30, 2007
Messages
9,962
Reaction score
1,235
Points
113
Location
The Republic of Neptune
Your Mac's Specs
2019 iMac 27"; 2020 M1 MacBook Air; macOS up-to-date... always.
MASSIVE security hole uncovered in High Sierra!!!!!

There is a very serious security flaw just uncovered in High Sierra that lets a user enable root by simply entering "root" as the user name and hitting the "enter" key with no password entered until it takes. If you have remote access enabled, you risk being remotely hacked. Malicious app that knows this trick? Hacked. Someone sitting in front of your Mac that wants in? Hacked. The flaw can be sidestepped by enabling the root user yourself and setting a password up. I've always done this in the past, but completely forgot about it the last time I did a clean install (which was Sierra). Only High Sierra is affected. Read the details in the article below.

macOS bug lets you log in as admin with no password required
 

chscag

Well-known member
Staff member
Admin
Joined
Jan 23, 2008
Messages
65,248
Reaction score
1,833
Points
113
Location
Keller, Texas
Your Mac's Specs
2017 27" iMac, 10.5" iPad Pro, iPhone 8, iPhone 11, iPhone 12 Mini, Numerous iPods, Monterey
This is the second time we had to move a post to a thread that already exists. Please guys and gals.... let's pay attention to what has already been posted. Also, this is the correct forum as it refers to macOS security.

Thanks.
 

Rod


Joined
Jun 12, 2011
Messages
9,631
Reaction score
1,834
Points
113
Location
Melbourne, Australia and Ubud, Bali, Indonesia
Your Mac's Specs
2021 M1 MacBook Pro 14" macOS 14.4.1, Mid 2010MacBook 13" iPhone 13 Pro max, iPad 6, Apple Watch SE.
I have set my login preferences to display as a list of users rather than requiring me to enter my user name. Consequently I can only choose Guest or my user icon. So as there is no option to enter "root" as a user name that would seem to eliminate the problem. Or am I wrong?
 

dtravis7


Retired Staff
Joined
Jan 4, 2005
Messages
30,133
Reaction score
703
Points
113
Location
Modesto, Ca.
Your Mac's Specs
MacMini M-1 MacOS Monterey, iMac 2010 27"Quad I7 , MBPLate2011, iPad Pro10.5", iPhoneSE
Rod, you are correct as that would prevent someone sitting in front of your system from using that hack, BUT I still with 10.13.1 on my Quad Core iMac can not get root to log me in and I have never set up a root account. I have now tried it 100's of times and it keeps failing and wanting a password.
 
Joined
Jan 1, 2014
Messages
629
Reaction score
52
Points
28
Your Mac's Specs
MacBookPro 13 v11.1, i5 2.4 GHz, 256 GBs SSD, 8 GBs DDRs
It did work on my macOS 10.13.1 on the second try...

That's not a bug, it's a feature in case I forgot my password and locked myself out of the system... :Cool:

While the adage of "if you have physical access to the device, it's game over" is true, still.

Come on Apple, how could you overlook this bug? It's sloppy development and Q&A for sure. There are signs that Apple's software quality isn't as good as used to be and this bug does not help...
 

cwa107


Retired Staff
Joined
Dec 20, 2006
Messages
27,042
Reaction score
812
Points
113
Location
Lake Mary, Florida
Your Mac's Specs
14" MacBook Pro M1 Pro, 16GB RAM, 1TB SSD
Come on Apple, how could you overlook this bug? It's sloppy development and Q&A for sure. There are signs that Apple's software quality isn't as good as used to be and this bug does not help...

It's yet another sign that MacOS (and likely the entire Mac lineup) is an afterthought at Apple today. It is frankly mind-boggling that such a simple flaw made it through what is presumably a mature QA process. Apple lost a lot of credibility on this one.

I changed my root password this morning after having no trouble replicating the flaw. The funny thing is that you have to "enable" root before you can even change the password, and then in-turn, disable it. More information here:

https://support.apple.com/en-us/HT204012

I am also stunned that Apple didn't have a fix deployed within hours of the discovery. If we had such a severe security flaw in the wild at my company, developers wouldn't be leaving their cubicles until it was patched. This whole situation is very troubling for Apple.
 

cwa107


Retired Staff
Joined
Dec 20, 2006
Messages
27,042
Reaction score
812
Points
113
Location
Lake Mary, Florida
Your Mac's Specs
14" MacBook Pro M1 Pro, 16GB RAM, 1TB SSD
Also, we have a tendency to dismiss flaws like this by saying "...but it requires local access". Actually, in this case, it doesn't... all I need to do is develop a compelling trojan that gets the user to execute. From there, I can make my malware run in the context of root and completely own the system. If a crafty hacker hasn't taken advantage of this yet (it's been at least 12-14 hours since this hit mass media), I'd be amazed.

Why hasn't Apple released an immediate patch that sets the root password (at the very least)? Their lack of action indicates a severe cultural problem at Apple surrounding security.
 
Joined
Jan 1, 2014
Messages
629
Reaction score
52
Points
28
Your Mac's Specs
MacBookPro 13 v11.1, i5 2.4 GHz, 256 GBs SSD, 8 GBs DDRs
It's yet another sign that MacOS (and likely the entire Mac lineup) is an afterthought at Apple today. It is frankly mind-boggling that such a simple flaw made it through what is presumably a mature QA process. Apple lost a lot of credibility on this one.

I changed my root password this morning after having no trouble replicating the flaw. The funny thing is that you have to "enable" root before you can even change the password, and then in-turn, disable it. More information here:

https://support.apple.com/en-us/HT204012

I am also stunned that Apple didn't have a fix deployed within hours of the discovery. If we had such a severe security flaw in the wild at my company, developers wouldn't be leaving their cubicles until it was patched. This whole situation is very troubling for Apple.

This bug seems really bad...

Once you assign a password to the root account, it is seemingly a workaround for this bug. But, if you follow the recommendation of disabling the root account afterward, you might be in for a surprise.

Go ahead and try changing system settings, after the password is set and the root account disabled:

  • Type in root and no password for admin credentials in the authentication window and press enter
  • do the same again and voila, you have root access
At the first time, the system will enable the root account and sets the password to blank. At the second try, it'll just log you in, just like it worked initially. I've seen a lot of serious bugs before, but this one is the worst ever!

Leaving the root account enabled, not recommended by Apple, seemingly prevents this bug to resurface. The side effect is that, if you look in the logs there is a failed authorization and then it succeeds in spite of that. Awesome Apple, one of the system process relies on the root account without password. Are you !@#$ serious!!
 
Joined
Jan 1, 2014
Messages
629
Reaction score
52
Points
28
Your Mac's Specs
MacBookPro 13 v11.1, i5 2.4 GHz, 256 GBs SSD, 8 GBs DDRs
Also, we have a tendency to dismiss flaws like this by saying "...but it requires local access*". Actually, in this case, it doesn't... all I need to do is develop a compelling trojan that gets the user to execute. From there, I can make my malware run in the context of root and completely own the system. If a crafty hacker hasn't taken advantage of this yet (it's been at least 12-14 hours since this hit mass media), I'd be amazed.

Why hasn't Apple released an immediate patch that sets the root password (at the very least)? Their lack of action indicates a severe cultural problem at Apple surrounding security.
*-Emphasis mine...

Stand corrected... My excuse, old habits die hard... ;)

If you have remote management or screen sharing enabled, this bug works remotely as well. Argh!!!
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top