Users urged to set ‘root’ password immediately

Apple is scrambling to patch a critical and oh-so-simple vulnerability in its latest operating system that grants Mac administrator access without the need for a password.

The flaw centers on the root ‘superuser’ account in macOS High Sierra, which is disabled by default but used to provide additional read and write privileges.

It was found that anyone with physical access to a Mac machine running High Sierra can gain administrator access by simply typing ‘root’ as a username on the login screen or via System Preferences and leaving the password field empty.

The issue was flagged by Turkish developer Lemi Ergin at around 2:00pm EST yesterday:

In the hours following the disclosure, the exact nature of the bug remained unclear. Some users reported the need for multiple login attempts before access is granted, but it seems that clicking or tabbing into the password field during the process will result in a successful root login.

Security researcher Patrick Wardle conducted a thorough investigation into the bug and presented his findings in a technical blog post earlier today.

The vulnerability appears to be present in macOS High Sierra 10.13.1 – the current version – as well as in the macOS 10.13.2 beta, but does not affect older versions, such as Sierra and El Capitan.

Apple said it was working on a software update to address this issue, but as a temporary workaround the company said users can fix the glitch by enabling a root user password.

As High Sierra users await Apple’s update, some questioned Ergin’s decision to disclose the vulnerability via Twitter:

However, given the severity (and simplicity) of the bug, others fought the researcher’s corner:


While the debate surrounding bug-finders’ “moral burden” looks likely to continue throughout much of the day, one keen-eyed Twitter user noted that the login issue was inadvertently discovered by a helpful member of the Apple support forums more than two weeks ago:

The Mac login glitch is likely to add fuel to the decades-old argument surrounding security vulnerability disclosures. And while this fundamental ethical issue drives deep into the heart of the infosec community, most Apple users will simply be hoping the tech giant is quick to mitigate the situation and issue a patch as soon as possible.