About the Vulnerability in macOS

A HUGE (read: YUGE) security vulnerability has been found. There’s a root user vulnerability in macOS High Sierra 10.13.1. This vulnerability allows anyone to login as root with an empty password. If you don’t want to read how to fix it, you can watch my video on youtube.

The initial user I saw on twitter (@lemiorhan) said ‘after clicking on login button several times,’ but I was able to recreate this issue on the first try. This is an absolutely horrendous security vulnerability that should have been caught by Apple developers & security team.

How to recreate the vulnerability

This is pretty simple to recreate. The easiest way to see it is by:

  1. opening ‘System Preferences,’
  2. going to ‘Users & Groups,’
  3. clicking the padlock to make changes,
  4. enter ‘root’ (without quotes) as the username,
  5. click in the password field (while leaving it blank),
  6. and then pressing ‘Unlock.’

In testing this vulnerability in macOS, I was able to log in as ‘root’ and have complete control over my MacBook Pro. Check out the screenshots:

Vulnerability in macOS High Sierra POC

The desktop for the ‘System Administrator’ user (aka the root user) after logging in using the vulnerability in macOS High Sierra.

POC for vulnerability in macOS High Sierra

My MacbookPro setting up the ‘root’ user’s account after exploiting the vulnerability in macOS High Sierra.

How to fix this

Some are saying to create a root user or something along those lines. I wasn’t able to test that method and doubt anyone else will because the fact is the root user is already there. Instead, what we need to do is create a password for that user.

  1. Open terminal,
  2. type ‘passwd root’,
  3. press enter when it asks for the old password,
  4. create a new password &
  5. confirm it.

It’s that simple – your machine is now protected.