MacOS High Sierra's 'Root' Bug Makes Hacking it Easy The bug appears to only affect High Sierra (MacOS 10.13.1), and Apple is working on a fix.

By Michael Kan

This story originally appeared on PCMag

pisaphotography | Shutterstock

Mac computers with High Sierra (MacOS 10.13.1 or higher) have a serious bug that can let anyone gain root access to the system without a password.

The hack is easy to pull off. It can be triggered through the Mac's System Preferences application when "Users &; Groups" is selected, and the lock icon on the window is clicked. After that, a new login window will appear. Anyone who types "root" as the username, leaves the password field empty, and clicks unlock (once or twice) is on their way to a new account that has system admin privileges to the computer.

With those privileges, the account can be used to modify the rest of the Mac and look up passwords on the keychain access. Even after a reboot, the root account remains.

There are also reports the bug can be triggered at the Mac login screen, but not everyone was able to produce the same findings.

The problem made headlines when security researcher Lemi Orhan Ergin tweeted about on Tuesday.

Amit Serper, a security researcher with Cybereason, replicated the result and said the bug "is as serious as it gets."

Hackers are always crafting malware that can gain greater system privileges into a computer. Now they have a new way, which can also be triggered via a Mac's command line function. Imagine a piece of malicious code designed to attack Macs using the same flaw. Users wouldn't even know they were compromised, Serper said.

Shortly after the bug was made public, Apple issued the following statement:

"We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section."

Security experts are still going over the bug, but it can be remotely exploitable, if for instance, screen sharing is enabled on the Mac.

It does not appear Apple was made aware of the bug before it was publicized on Twitter, something the security community generally frowns upon. "This kind of public disclosure can put users at risk," said Keith Hoodlet, a security engineer with Bugcrowd, which does crowdsourced security testing.

He recommends users refrain from trying out the bug on their High Sierra-installed Macs. Doing so creates an account with super privileges, which can open it up to remote attack. To mitigate the risk, users who've decided to test the bug should create a password for the new root account, which can be done by following the temporary fix Apple provided.

Michael Kan

Reporter

Michael has been a PCMag reporter since October 2017. He previously covered tech news in China from 2010 to 2015, before moving to San Francisco to write about cybersecurity.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Editor's Pick

Business Ideas

70 Small Business Ideas to Start in 2025

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2025.

Starting a Business

The Next Chapter of Basketball? Why This New League Is Betting Big on 1v1 Hoops

The Next Chapter is a premier 1v1 league turning streetball culture into a marketable, competitive sport. With unique players and pay-per-view events, the league aims to become a billion-dollar basketball business.

Social Media

Lauryn Bosstick's Multi-Million-Dollar Playbook: Build an Audience First, Then Create Products Just for Them

Lauryn Bosstick, founder of The Skinny Confidential, says more founders should reverse the typical business playbook.

Starting a Business

This 'Dream' Side Hustle Out-Earned Her Corporate Salary in 2 Years — Now It's a $2 Million Business

Here's the exact blueprint she used to leave her W2 job behind and step fully into entrepreneurship.

Leadership

5 CEOs Sat Down for a Candid Conversation — What They Revealed Could Change Your Entire Perspective on Leadership

These five CEOs get brutally honest about leadership, pressure and letting go of control.

Business News

Deloitte Is Reimbursing Employees Up to $1,000 — For Buying Lego Sets

Each Deloitte employee can spend up to $1,000 on items to improve their well-being.