Apple has frequently marketed itself as providing a superior, more secure operating environment than you find in the PC universe (whether this is actually true or merely reflects Apple’s relatively small market share is an argued question). That reputation took a massive blow last evening, when security researchers demonstrated a flaw in macOS High Sierra that allows administrator access to a system with a hardcoded login and no password at all.
Reproing the bug is simple (at least until Apple fixes it): Type the login “root,” then move the cursor into the password field and hit enter several times. It also apparently works if you simply hit the “login” button several times rather than using the keyboard, though a few tries may be necessary.
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
Ars Technica confirmed the bug on three different Macs, all of which were tested multiple times. Security researcher Amit Serper notes that Apple script can be used to create a root shell from the command line as well. Initially he didn’t think this was possible, which is why his tweet is phrased that way:
I stand corrected. you can use apple script to trigger a root shell from the command line. https://t.co/PhvwoisSk5
— Amit Serper (@0xAmit) November 28, 2017
You can also log in with this method if the machine is rebooted. A locked screen isn’t vulnerable to this attack, and full disk encryption seems to stop it as well, but a powered-off Mac running High Sierra can be rebooted and penetrated with no problem at all. Lemi Orhan Ergin notes that the bug can also be used from within the OS to unlock user and group preferences:
It’s baffling a security bug this severe would make it into a shipping product. MacOS High Sierra has been shipping for months. It’s been in beta for even longer. And apparently, somehow, this error snuck through unnoticed. In fairness to Apple, it’s the simple kind of error that even security testers might skip checking, because no one expects an error this obvious to get made in the first place.
But, by the same token, the fact that this error is so low-level makes it extremely serious. If you allow access to your Mac via remote services or have enabled screen sharing, you’ll want to turn those features off immediately. Apple will almost certainly have a security fix ready to go in a matter of days; we’ll update this story as soon as they do. Until they patch the flaw, setting a root password will help you avoid the problem.