Don’t leave your Mac unattended. High Sierra bug lets anyone log in as root

Nov 29, 2017

John Aldred

John Aldred is a photographer with over 20 years of experience in the portrait and commercial worlds. He is based in Scotland and has been an early adopter – and occasional beta tester – of almost every digital imaging technology in that time. As well as his creative visual work, John uses 3D printing, electronics and programming to create his own photography and filmmaking tools and consults for a number of brands across the industry.

Don’t leave your Mac unattended. High Sierra bug lets anyone log in as root

Nov 29, 2017

John Aldred

John Aldred is a photographer with over 20 years of experience in the portrait and commercial worlds. He is based in Scotland and has been an early adopter – and occasional beta tester – of almost every digital imaging technology in that time. As well as his creative visual work, John uses 3D printing, electronics and programming to create his own photography and filmmaking tools and consults for a number of brands across the industry.

Join the Discussion

Share on:

This isn’t so much a photography related post, but a PSA for photographers, video professionals, or anybody else who uses a Mac. If you’ve updated to the latest version of High Sierra – 10.13.1 (17B48) – prepare yourself for a shock. This is a big one.

It turns out there’s a big gaping security hole that allows anybody with physical access to your computer to get root access to your entire system. And it doesn’t take any kind of “hacking” skill at all. While Apple will no doubt fix it quite quickly there is something you can do to resolve the issue yourself in the meantime.

To gain access to your system, essentially all somebody needs to do is enter “root” into the username field, no password. After a few attempts, it should just let them log straight in.

Fortunately, though, there is a way for you to fix the problem yourself until you get an update from Apple. As detailed on The Register, simply set a root password. In a console, simply enter the line…

sudo passwd -u root

Then, set a password when prompted. This changes the root password from being empty to a password of your own choosing. Thus thwarting the would-be attacker standing at your keyboard.

While this is primarily being raised as a local user issue, there is the potential for remote root access, too. If you’re running something like a VNC or similar server, somebody could connect as a regular user and then upgrade their access to the root account, gaining control over the whole system.

Apple has also released a guide on enabling the root user of your Mac and changing the root password.

[via The Register]

Filed Under:

Tagged With:

Find this interesting? Share it with your friends!

John Aldred

John Aldred

John Aldred is a photographer with over 20 years of experience in the portrait and commercial worlds. He is based in Scotland and has been an early adopter – and occasional beta tester – of almost every digital imaging technology in that time. As well as his creative visual work, John uses 3D printing, electronics and programming to create his own photography and filmmaking tools and consults for a number of brands across the industry.

Join the Discussion

DIYP Comment Policy
Be nice, be on-topic, no personal information or flames.

Leave a Reply

Your email address will not be published. Required fields are marked *

16 responses to “Don’t leave your Mac unattended. High Sierra bug lets anyone log in as root”

  1. Adam Król Avatar
    Adam Król

    There is already an update so check your story before you publish some old “news” ?

  2. Damir Perisa Avatar
    Damir Perisa

    apple stopped being taken serious when they got rid their pro workstations and their server version of OSX. enabling passwordless root on any machine at any time (all after 1975) is just noobs-mistakes of amateurs :(

    1. Peter John Williams Avatar
      Peter John Williams

      Apple still have the server version of MacOS

    2. Damir Perisa Avatar
      Damir Perisa

      an “app” is not a proper server maintainence tool they abandoned network user accounts and updating from 10.6.8 (last server osx) to any newer release of osx or macos with the server “app” you loose your server setup and kerberos domain gets corrupted, the systems keep crashing or keep failing to login to the domain … i am admin in all realms out there and apple’s mess .. and this is me being generous about it.

  3. Phillip C Reed Avatar
    Phillip C Reed

    The update containing the fix is being pushed out today.

  4. RC Levell Avatar
    RC Levell

    But it’s already patched as of earlier. Yet you post it after the patch… Ok. LOL.

  5. Maurice Dudley Avatar
    Maurice Dudley

    My 2012 MacBook Pro will no longer reboot. Just a black screen with lit keyboard. Is it down for the count?

  6. Gomes Alberto Avatar
    Gomes Alberto

    Old news. Already patched!

  7. Félix Barraud de Lagerie Avatar
    Félix Barraud de Lagerie

    The fix update are out ?

  8. Angie Jones Avatar
    Angie Jones

    Not if you’ve set the root password yourself or have installed the new patch released today

  9. Kryn Sporry Avatar
    Kryn Sporry

    Good to know. A bit of a storm in a glass of water, but useful to know the mitigation.

  10. Sergi Yavorski Avatar
    Sergi Yavorski

    That’s why you need to switch to PC ??

    1. Diogo Carvalho Avatar
      Diogo Carvalho

      Yes! Because Microsoft has never had software problems, and actually it never had two decade old unlatched bugs! Thank god we have Windows. https://www.pcworld.com/article/2846004/microsoft-fixes-severe-19-year-old-windows-bug-found-in-everything-since-windows-95.amp.html

    2. Diogo Carvalho Avatar
      Diogo Carvalho

      Shame on Apple for taking as long as 24h…

  11. Alexander L. Harris Avatar
    Alexander L. Harris

    You know you’re a PC gamer from way back when the first thing “High Sierra” made me think of was Ken Williams smoking a joint.

  12. Maurizio Caravaggi Avatar
    Maurizio Caravaggi

    I got the patch today morning