A huge security flaw lets anyone log in to a Mac running Apple's latest OS. Here’s what High Sierra users need to do.
There's been a sharp rise in the number of breaches and security flaws in recent years, but the latest affecting Apple's latest operating system macOS High Sierra is something else.
While most flaws can only be exploited by hackers or people with a certain level of technical knowledge, a vulnerability found in the Mac software can be taken advantage by anyone.
If you're running High Sierra 10.13.1, it's possible for anyone to log in to your account and preferences simply by typing the word “root” in the username field. That's right, you can get access to an entire drive, personal files, account preferences (including those in security and privacy) and could even install software, including malware, with a simple login.
We have been able to replicate the flaw, although it took three attempts for it to work. Either way, this is huge.
The flaw appears to have been first identified by security researcher Lemi Orhan Ergin, founder of Software Craftsman Turkey, who posted the details on Twitter. In the tweet Ergin wrote: “Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as ‘root’ with empty password after clicking on login button several times. Are you aware of it @Apple?”
He then followed it up with: “You can access [the flaw] via System Preferences>Users & Groups>Click the lock to make changes. Then use ‘root’ with no password. And try it for several times. Result is unbelievable!”
UPDATE: There was a temporary workaround (details below) but Apple has since released a permanent fix in the form of a security update, called 2017-001. The update is available for anyone running macOS High Sierra 10.13 and macOS High Sierra 10.13.1 as the flaw does not affect macOS Sierra 10.12.6 or earlier. Apple lists the flaw as "a logic error in the validation of credentials."
Install Apple's security update
To update to the latest software and install this security update:
- Open the App Store
- Click Updates from the toolbar
- Press the Update buttons next to each entry to download and install any updates listed
If your Mac is set up for automatic updates, or if you want to check the update process has worked:
- Open the Terminal app in Utilities, found in the Applications folder.
- Type what /usr/libexec/opendirectoryd and press Enter
- If Security Update 2017-001 was installed successfully, you will see one of these project version numbers:
opendirectoryd-483.1.5 on macOS High Sierra 10.13
opendirectoryd-483.20.7 on macOS High Sierra 10.13.1
If you need to root your Mac after this security update has been installed, you'll need to re-enable the root user and change the root user's password. You'll find step-by-step details below.
Before Apple pushed out the software fix, there was a workaround to manually set a root password to prevent unauthorised access to your Mac – and you may need to know this in future anyway.
Enable or disable the root user:
- Click the Apple menu () in the top left-hand corner, select System Preferences and open Users & Groups (or Accounts).
- Click the lock icon () and enter your administrator name and password
- Select Login Options and click Join (or Edit).
- Open Directory Utility.
- Click the lock icon again in the Directory Utility window and enter the administrator name and password again.
- From the menu in Directory Utility: Choose Edit, Enable Root User, then enter the password that you want to use for the root user or choose Edit, Disable Root User.
Log in as the root user:
After you've enabled a root user, only the person logged in as that root user can make root-level changes. To log in as a root user:
- Click the Apple icon and select Log Out.
- When prompted to log in, enter the username ”root” and the password you created above.
If the login window shows a list of users, click Other and then log in.
Remember to disable the root user after completing your task.
Change the root password
- Open System Preferences from the Apple menu and select Users & Groups (or Accounts).
- Click the lock icon and log in.
- Click Login Options and then Join (or Edit).
- Open Directory Utility.
- Click the lock icon in the Directory Utility window and re-enter the login details.
- From the menu select Edit and then Change Root Password.
The full instructions and more about root users can be found on Apple's official support page.
This video will also guide you through the process:
If you’re running #macOS #HighSierra, stop and do this *now* to fix the root access vulnerability.— Rene Ritchie (@reneritchie) November 28, 2017
Then share it with everyone you know and make sure they do it too.
: https://t.co/e9sErEvKNI pic.twitter.com/9jKcV7FAXm
Not everyone has been able to replicate the flaw, and Ergin has been fiercely criticised for making the flaw public rather than going through a bug bounty program or highlighting the vulnerability through the proper channels to Apple directly.
This isn't the first bug seen in High Sierra. On the day of launch, malicious code was found on the system that could access and steal keychain data without a password. Another flaw exposed a user's password as a password hint when trying to unlock an encrypted partition.