Security disaster: macOS High Sierra lets you log in as root without a password

Posted on Tuesday, November 28 2017 @ 22:23 CET by Thomas De Maesschalck

Developer Lemi Orhan Ergin accidentally discovered a massive security leak in Apple's macOS High Sierra operating system. It is almost too silly to believe, but apparently you can log in as root user without a password.

Basically, all you need to do is login as "root" and leave the password field empty. After clicking on the unlock button a couple of times, the operating system will give you full administrative rights.

Various Twitter users and some IT publications confirmed the existence of this huge bug. The issue appears to be that High Sierra creates a root account with a blank password. Exploitation requires physical access to your computer, as a mitigation technique you can enable the root user and set a password for this account. Details on how to do this can be found on this Apple support page.

The bug is exclusively found in High Sierra, older version of macOS do not have this flaw.

You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs
— Lemi Orhan Ergin (@lemiorhan) 28 november 2017

About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.

Loading Comments

Share this story!