Security hole in macOS High Sierra lets anyone gain root access to a logged in machine

There’s a security hole in macOS High Sierra and we’ve verified the issue.

First reported in this tweet:

Here’s how to reproduce it:

  • Log in to your Mac, as you normally would
  • Now launch System Preferences
  • Click the Users & Groups pane
  • Click the lock to make changes but do NOT enter your normal credentials
  • Instead, change the user name to root, leave the password field blank, but click in the password field (does not appear to work if you don’t click in the password field) and click Unlock
  • If you don’t get in, change the user name to root, leave password field blank (but click in it), click Unlock again

Eventually, you will get a second Unlock dialog. Repeat this procedure with root and empty password field. This time, when you click Unlock, the admin lock will unlock and you are in.

Note that this does require you to have physical access to a machine and be already logged in to the machine. I have verified this on my machine and it does work.

While this is an issue, this would be way more of an issue if this technique allowed you to log in to a machine (perhaps a stolen one, for example), as opposed to gaining root access to a machine whose user logged in and granted access in the first place. Not nothing, but the sky is not falling.

We’ve reached out to Apple and will update this post the moment we hear back.

UPDATE: This just got a bit worse. This same technique will enable you to login to any Mac whose login options are set to “Display login window as Name and password” instead of “Display login window as List of users”.

While you wait for Apple to respond, suggest you do this:

  • Go to System Preferences / Users & Groups
  • Click the lock, login as your admin user
  • Click Login Options (bottom left)
  • Click List of users instead of Name and password

You can also follow up by entering a root password or, as others have suggested, disabling the root user. My suggestion would be to wait until Apple responds, then follow their suggested advice.

UPDATE 2: Apple said it is working to fix the issue.