Apple rolls out fix for the security flaw that let ANYONE log in to a High Sierra Mac
There’s been a sharp rise in the number of breaches and security flaws in recent years, but the latest affecting Apple’s macOS High Sierra is something else.
While most flaws can only be exploited by hackers or people with a certain level of technical knowledge, a vulnerability recently found in the Mac software could be taken advantage by anyone – including you.
If you’re running High Sierra 10.13.1, it’s possible for anyone to log in to your account and preferences simply by typing the word “root” in the username field. That’s right, you can get access to an entire drive, personal files, account preferences (including those in security and privacy) and could even install software, including malware, with a simple login.
There was a temporary workaround (details below) but Apple has since released a permanent fix in the form of a security update, called 2017-001. Released 29 November, the update is available for anyone running macOS High Sierra 10.13 and macOS High Sierra 10.13.1 as the flaw does not affect macOS Sierra 10.12.6 or earlier. Apple lists the flaw as “a logic error in the validation of credentials.”
Install Apple’s security update
To update to the latest software and install this security update:
- Open the App Store
- Click Updates from the toolbar
- Press the Update buttons next to each entry to download and install any updates listed
If your Mac is set up for automatic updates, or if you want to check the update process has worked:
- Open the Terminal app in Utilities, found in the Applications folder.
what /usr/libexec/opendirectorydand press Enter
- If Security Update 2017-001 was installed successfully, you will see one of these project version numbers:
opendirectoryd-483.1.5 on macOS High Sierra 10.13
opendirectoryd-483.20.7 on macOS High Sierra 10.13.1
If you need to root you Mac after this security update has been installs, you’ll need to re-enable the root user and change the root user’s password. Step-by-step details are at the bottom of this article.
The flaw appears to have been first identified by security researcher Lemi Orhan Ergin, founder of Software Craftsman Turkey, who posted the details on Twitter. In the tweet Ergin wrote: “Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?”
He then followed it up with: “You can access [the flaw] via System Preferences>Users & Groups>Click the lock to make changes. Then use “root” with no password. And try it for several times. Result is unbelievable!”
Apple has responded by saying it is working on a software update to address this problem and has issued a temporary solution (instructions below).
High Sierra Mac flaw: How to protect yourself
While you wait for Apple to push out a software fix, it’s advisable to manually set a root password to prevent unauthrosied access to your Mac.
Enable or disable the root user
- Click the Apple menu () in the top-left-hand corner, select System Preferences and open Users & Groups (or Accounts).
- Click the lock icon () and enter your administrator name and password.
- Select Login Options and click Join (or Edit).
- Open Directory Utility.
- Click the lock icon again in the Directory Utility window and enter the administrator name and password again.
- From the menu in Directory Utility: Choose Edit, Enable Root User, then enter the password that you want to use for the root user or choose Edit, Disable Root User.
Log in as the root user
After you’ve enabled a root user, only the person logged in as that root user can make root-level changes. To log in as a root user:
- Click the Apple icon and select Log Out.
- When prompted to log in, enter the username ”root” and the password you created above.
If the login window shows a list of users, click Other and then log in.
Remember to disable the root user after completing your task.
Change the root password
- Open System Preferences from the Apple menu and select Users & Groups (or Accounts).
- Click the lock icon and log in.
- Click Login Options and then Join (or Edit).
- Open Directory Utility.
- Click the lock icon in the Directory Utility window and re-enter the login details.
- From the menu select Edit and then Change Root Password.
The full instructions and more about root users can be found on Apple’s official support page.
This video will also guide you through the process:
Not everyone has been able to replicate the flaw, and Ergin has been fiercely criticised for making the flaw public rather than going through a bug bounty programme or highlighting the vulnerability through the proper channels to Apple directly.
This isn’t the first bug seen in High Sierra. On the day of launch, malicious code was found on the system that could access and steal keychain data without a password. Another flaw exposed a user’s password as a password hint when trying to unlock an encrypted partition.