Security hole in macOS High Sierra lets anyone gain root access to a logged in machine

There’s a security hole in macOS High Sierra and we’ve verified the issue.

First reported in this tweet:

Here’s how to reproduce it:

  • Log in to your Mac, as you normally would
  • Now launch System Preferences
  • Click the Users & Groups pane
  • Click the lock to make changes but do NOT enter your normal credentials
  • Instead, change the user name to root, leave the password field blank, but click in the password field (does not appear to work if you don’t click in the password field) and click Unlock
  • If you don’t get in, change the user name to root, leave password field blank (but click in it), click Unlock again

Eventually, you will get a second Unlock dialog. Repeat this procedure with root and empty password field. This time, when you click Unlock, the admin lock will unlock and you are in.

Note that this does require you to have physical access to a machine and be already logged in to the machine. I have verified this on my machine and it does work.

While this is an issue, this would be way more of an issue if this technique allowed you to log in to a machine (perhaps a stolen one, for example), as opposed to gaining root access to a machine whose user logged in and granted access in the first place. Not nothing, but the sky is not falling.

We’ve reached out to Apple and will update this post the moment we hear back.

UPDATE: This just got a bit worse. This same technique will enable you to login to any Mac whose login options are set to “Display login window as Name and password” instead of “Display login window as List of users”.

While you wait for Apple to respond, suggest you do this:

  • Go to System Preferences / Users & Groups
  • Click the lock, login as your admin user
  • Click Login Options (bottom left)
  • Click List of users instead of Name and password

You can also follow up by entering a root password or, as others have suggested, disabling the root user. My suggestion would be to wait until Apple responds, then follow their suggested advice.

UPDATE 2: Apple said it is working to fix the issue.



  • komocode

    “this would be way more of an issue if this technique allowed you to log in to a machine”

    but it does allow you to login to a machine: https://twitter.com/0xAmit/status/935607313368481793

    • Dave Mark

      See the update.

    • If this is the case, it means you’re going to have to change your encryption key after Apple’s done fixing it.

      Hopefully that’s as simple as decryptiong/re-encrypting, but I’m not sure.

  • flydrive

    Doesn’t work for me – I get the waving ‘no’ box every time. Difference on this machine perhaps is that it does have a root password set, so perhaps only machines with the default configuration of no root password are affected.

    • Dave Mark

      Yup. Only an issue for people who do not have a root password.

  • “This same technique will enable you to login to any Mac whose login options are set to “Display login window as Name and password” instead of “Display login window as List of users”.”

    “Click Name and password instead of List of users”

    Don’t you mean “Click List of users instead of Name and password”? The way you put it would make the machine vulnerable.

    • Dave Mark

      Yup. Fixed. And thanks!

  • Make sure not to click in the password box or tab to it after entering “root”. Just type “root” in the username and then click Unlock.

  • rick gregory

    First off, this is bad. No two ways around it, it needs to be patched ASAP and obviously some testing changes need to happen as it’s not hard or obscure.

    Second, the guy should have disclosed to Apple’s security team privately so there COULD be a patch ready before public disclosure. It’s highly irresponsible for him to tweet this out without giving Apple a heads up so the vulnerability could be patched and the risk lessened.

    • Kip Beatty

      Yes, this is a monumental fuck up by Apple, no way around it. This is the most basic level of security and they failed.

      That said, you’re right. This is absolutely not the way to release or disclose a security issue. You’ll still get the credit for discovering it if you disclose it privately and give the company a chance to correct the issue. If they ignore you, go public, but you’ve got to give them a chance to fix it first. Not to protect Apple or Microsoft or any other big company, but to protect the users.

    • the guy should have disclosed to Apple’s security team privately

      Agree in spades. I do wonder if Lemi did try to contact Apple directly but didn’t get a response. Either way, his tweet should disqualify him from receiving Apple’s bug bounty.

  • lkalliance

    So this exploit requires a user to already be logged in…does that logged-in user need to be an admin user, or can it be any user? Also, when the login page is to be a list of existing users…isn’t there a mechanism to allow a user to override that and enter in arbitrary credentials?

  • John Kordyback

    That’s brutal. However it looks relatively easy to fix (i.e. they don’t have to patch the kernel which requires a huge amount of regression testing). I expect a patch relatively quickly.

    10.13.2 is already in Beta4, I wonder where they’ll stick this fix?

  • mdeatherage

    “You can also follow up by entering a root password or, as others have suggested, disabling the root user. “

    Disabling the root user simply blanks the password and enables the bug all over again. You have to set the root user password to a non-empty value (and if you’re going to do that, make it a secure one). You can disable the root user once Apple fixes the bug.

  • Mo

    SO relieved I haven’t been tempted to upgrade to High Sierra yet.

    • Kip Beatty

      …and do take your time. It’s still not sorted.

      • Mo

        Seriously.

  • fastasleep

    What’s not getting enough attention is that this exploit also works remotely if you have Screen Sharing, Remote Management, maybe other sharing (File Sharing?) turned on. Anyone can find your machine via Bonjour and perform this exploit via the Screen Sharing login window for example (I just did exactly that with a random iMac in my office over WIFI). That means if you have any of these services turned on and are sitting in public somewhere on WIFI, you’re a sitting duck.

  • Jake Elwood

    Looks like Apple has made that back door that the FBI were asking for.

    • Kip Beatty

      Ha, I see what you did there. Unfortunately for the FBI they wanted an iOS backdoor. Terrorists and spree killers rely on High Sierra far less frequently it seems.

  • James Hughes

    I am always amazed how people even find these holes. Who would even think to do this? Gee, I think I’ll go to system preferences, click on the pad lock, NOT enter my actual credentials, but instead enter root, leave the password field blank.. and nope, didn’t work. Let me try that again.

    Like Mo, I guess I’ll be staying with plain “old” Sierra for a while longer.

    • Mo

      Some guys are obsessed with root, I guess. Are they overcompensating for something? 😉

      I’m actually still on El Capitan. I generally wait for the “tock” releases.

      • James Hughes

        I must be on the tick schedule.

        • Mo

          Succumb not to temptation, but always protect thine workflow!

  • lucascott

    okay i’m confused about this. first it says you can log into any computer by putting in root etc but then it says that you have to be logged in already and this just works to unlock system preferences.

    if its the latter then is it really that huge of a security risk. I mean folks have access to all your data already since you are logged in and isn’t that the real security issue. i mean sure okay it apparently enables root mode but really what is the point of that other than being able to access all accounts and you can do that by changing the password via the recovery drive.