What's new

MacOS Bug Lets You Create a Root Account by Repeatedly Pressing a Button


A bug in the latest versions of macOS High Sierra allows users to create a root account with no password by repeatedly pressing a button in the preferences panel.
The only way an attacker could exploit this bug is if the macOS owner left his Mac unlocked and then left his desk.
This is all an attacker needs because with a few clicks he can create a root account that he could use at a later time to access the vulnerable device. The root account can also be used to log into the vulnerable machine remotely.
How the bug works!
Step 1: Open the macOS system preferences window
Step 2: Go to Users & Groups
Step 3: Click the lock icon in the bottom-left corner of the window
Step 4: Type "root" in the username field
Step 5: Place the cursor in the password field
Step 6: Press the Unlock button repeatedly until the user is created
These steps will create a root account on the computer with no password. An attacker could use this account at a later time to legitimately log into a victim's Mac.
The bug affects macOS High Sierra 10.13.1 and 10.13.2 Beta. Users can prevent an attacker from exploiting a bug by creating a "root" account themselves and giving it a custom password. This blocks the bug from creating another root account.



I just heard about this bug yesterday from my adult son who alerted me to this very serious bug.

I wanted to point out several additional points about points about this bug and it seriousness (you should protect yourself now)

1) This vulnerability is not just for those that can walk up to you Mac. The bug can be exploited other ways as well:
......anybody who has physical access to your Mac or can get through via screen sharing, VNC, or remote desktop, and enters "root" and hits login repeatedly, can gain complete access to the machine.
2) Root access is much more serious than having access to an admin account. Root access is a superuser account and is normally disabled when you get your Mac. They don't want admin users to have normal access to its capabilities as misteps can require reinstallation of your entire system. Under rare circumstances when access to the root capabiity is needed, one typically disables that account as the ending step. The temporary bug fix is to create a root account with a strong password and leave it enabled. A long term fix would not involve having this root account stay enabled

3) This bug was not handled though normal channels with Apple yet announced publicly with no notice to Apple so there is no immediate fix through an upgrade path with Apple leaving systems vulnerable until Apple provides a fix or you follow the steps given in Gedstars post above (which is easy yet follow the steps carefully step by step)

4) My son confirmed the bug on his "High Sierra" mahcine providing an easy open door to the root superuser account and I also confirmed on my "Sierra" Mac that the previous OSX does not have this vulnerability.

5) The person who found this bug missed a huge dollar opportunity by not reporting this to Apple's bug bounty program while giving hackers more time to try and exploit this bug before Apple can get a patch put in place.


I bet Apple takes some steps to see how this bug got introduced to avoid similar oversights in the future.


John Wheeler