A major security flaw has been discovered in Apple’s MacOS High Sierra operating system, which allows anyone to access the root/admin account on a Mac. MacRumors reported the bug, via a developer named Lemi Ergin, saying that anyone can log into the admin account by entering root as the username and leaving the password field blank. Apple has acknowledged the flaw and said they are working on a software update for fixing the issue.
The root/admin account grants escalated privileges to a user, with full access to system files with read and write privileges. As per the report, the flaw allows admin access on an unlocked Mac and can also be exploited on a locked Mac’s login screen. Users can try it while using their normal or even a guest account by navigating to Users and Groups in System Preferences and clicking on the lock icon. A prompt asking username and password will show up where the user needs to enter ‘root’ as the username and click on the password bar, but leave it blank. Clicking on unlock will then allow using the admin account.
You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs — Lemi Orhan Ergin (@lemiorhan) November 28, 2017
As per Apple’s instructions, a user should set a password for the root account instead of leaving it blank so that it can’t be accessed by anyone else. Apple, in a statement to MacRumors, said, “Setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section." The bug is reportedly present in the current version of macOS High Sierra and its beta which is currently in testing.
To set a root password, users need to follow the same aforementioned process for accessing an admin account and then click on Login Options. After that, users need to click on Join(or Edit) option next to the Network Account Server and click on the lock icon under Open Directory Utility. A prompt will ask for the user’s administrator name and password after which one needs to select Enable Root User by clicking at the ‘Edit’ tab on the menu bar and enter a new password for the admin account. Apple says this method will prevent the root account from being accessed using a blank password until they release a patch. As the bug can be exploited using a guest account, MacOS High Sierra users have also been advised to disable them.