BY ON Nov 28, 2017

Security flaw allows full admin with empty password on macOS

This bug allows you to login or unlock macOS High Sierra with full admin access with just an empty password.

Basically the bug allows you to enter an empty password for the super user account root (yes, an empty password!), which has full access to make any change in the entire operating system and any file in it. The root user is a built-in user included in any Linux or Unix-like operating system, commonly used to perform configuration and administration tasks.

The security vulnerability has been found by a developer, Lemi Ergin and reported to Apple Support team via twitter:

You can reproduce the issue following the next steps:

  1. Open System Preferences,
  2. Then click Users & Groups (or Accounts)
  3. Click the lock (🔒) to make changes
  4. Change the user name to “root”
  5. Click into the password field (leave it empty)
  6. Click the “Unlock” button (sometimes requires more than one click)

Users & Groups unlock window screenshot

How to fix it

Apple support have recommended, as a temporary fix, to assign a password to the root user as explained in the following link

The next steps are based on macOS High Sierra version 10.13.1

  • System Preferences > Users & Groups > Click the lock to make changes, enter an admin user account and hit the “Join” button

Click the Join button screenshot

  • In the next window click the “Open Directory Utility” button

Open directory utility button screenshot

  • CLick the lock button, enter an admin user credentials again, then you’ll see the menu bar option “Enable Root User” available

Enable root user menu option screenshot

  • Enter the new Root user password.

Don’t disable the root account, that’s the condition that makes the bug to reappear.

Hopefully Apple will address this issue as soon as possible and offer a definitive solution, considering the high risk that this bug represents.

UPDATE 11/29/17 Apple has already published a Security Update for macOS to fix the issue