Pixel Envy

Written by Nick Heer.

MacOS High Sierra’s Authentication-Free Root Account

Juli Clover, MacRumors:

There appears to be a serious bug in macOS High Sierra that enables the root superuser on a Mac with with a blank password and no security check.

The bug, discovered by developer Lemi Ergin, lets anyone log into an admin account using the username “root” with no password. This works when attempting to access an administrator’s account on an unlocked Mac, and it also provides access at the login screen of a locked Mac.

As with any security issue, it would have been preferable for this to be disclosed to the vendor — in this case, Apple — privately before being publicly exposed. And, still, this is a huge problem for anyone whose recently-updated Mac is occasionally in the vicinity of other people. Apparently, pretty much any authentication dialog is susceptible, including worrying things like Keychain Access or changing a drive’s FileVault state. It appears to be a bug introduced in High Sierra; I failed to reproduce it on a machine running MacOS Sierra.

I don’t want to speculate on whether something like this would be caught in code review or a penetration testing scenario. Apple may do both of those things and it may have simply bypassed loads of people. I also don’t know how much buggier Apple’s operating systems are now compared to, say, ten years ago, if they are truly buggier at all. Maybe we were just more tolerant of bugs before, or perhaps apps crashed more instead of subtly failing while performing critical tasks.

But there has been a clear feeling for a while now that Apple’s software simply doesn’t seem to be as robust as it once was. And perhaps these failures are for good reasons, too. Perhaps parts of MacOS and iOS are being radically rewritten to perform better over the long term, and there are frustrating bugs that result. In a sense, this is preferable to the alternative of continuing to add new features to old functionality — I’d be willing to bet that there’s code in iTunes that hasn’t been changed since the Clinton administration.

Even with all that in mind, it still doesn’t excuse the fact that we have to live and work through these bugs every single day. Maybe a security bug like this “root” one doesn’t really affect you, but there are plenty of others that I’m sure do. I’m not deluded enough to think that complex software can ever be entirely bug-free, but I’d love to see more emphasis put on getting Apple’s updates refined next year, rather than necessarily getting them released by mid-September.1 There’s a lot that High Sierra gets right — the transition to APFS went completely smoothly for me, and the new Metal-powered WindowServer process seems to be far more responsive than previous iterations — but there is also a lot that feels half-baked.

Update: It gets worse — based on reports from security researchers on Twitter, this bug is exploitable remotely over VNC and Apple Remote Desktop. So, not only is this bug bad for any Mac left in a room with other people, it’s also bad for any Mac running High Sierra and connected to the internet with screen sharing or other remote services enabled. It’s worth adding a strong password to the root user account if you haven’t already. Thanks to Adam Selby for sending this my way.

Update: This bug has been known for at least two weeks, according to a post on Apple’s official developer forums.

Update: Apple has rolled out a fix for this bug that you should install immediately. Even if you don’t, it will install itself.

  1. For extra irony, recall that High Sierra was pitched as a refinement of MacOS Sierra. ↩︎