One of the most alarming security bugs to ever plague a major computer operating system is also one of the dumbest. First discovered by Turkish developer Lemi Orhan Ergin, the vulnerability lets anyone log into any computer running macOS High Sierra — the most recent Apple operating system released — just by typing "root" for the username, and then clicking on the login button a few times with the password entry left blank.
Ergin tweeted about the flaw on Tuesday, and as of the time of publication, all macOS High Sierra machines are still vulnerable. Apple has a well-publicized bug-reporting program in place, but it appears Apple either didn't know about the security flaw or was unable to fix it before Ergin tweeted it publicly — which unfortunately makes Apple users even more vulnerable to attackers with bad intentions.
Apple confirmed that it was already working on a solution. "We are working on a software update to address this issue," the company said in a statement to BuzzFeed News. "In the meantime, setting a root password prevents unauthorized access to your Mac."
Soon after Ergin's tweet, a flood of security researchers and writers confirmed the bug works as described — whether attempting to access an administrator's account on an unlocked Mac, or trying to gain access via the login screen of a locked Mac.
"It is as bad as it sounds," Amit Serper, a security researcher from the software company Cybereason, told BuzzFeed News. "It allows everyone with access to your machine — and in some cases remotely — to escalate the privileges to the highest level of them all."
"Apple could have avoided it originally by setting a random password to the root user," Serper added, "in a way that the password is randomly generated every time the operating system is installed."
If a bad actor exploited this security bug, they'd get System Administrator access — meaning that person could read and write over virtually any part of the computer system, including files in other macOS user accounts. They could reset or change passwords, delete or add users and Apple IDs linked to the machine, and dip into other accounts on the system — essentially, they would get unfettered access to all the data that lives on the computer. The bug is present in macOS High Sierra 10.13.1, the current version released to users, and the macOS 10.13.2 beta that is still being tested.
Worse yet, the attack works even when someone does not have physical access to your macOS High Sierra machine. One Twitter user confirmed that the vulnerability works over a piece of software called VNC, or even through Apple's own Remote Desktop software.
"There is a remote vulnerability if [your machine's] OS X firewall is disabled, and Remote Desktop is enabled," said Kenneth White, a Washington, DC–based security consultant for federal agencies. "It's probably a good time to confirm your firewall is up, and on stealth block."
Here's How To Protect Your Mac
This is a serious flaw and you should act quickly to defend yourself. As Apple advised, for now, the best workaround is to enable the root account, and keep it enabled with the password of your choice. Here's how:
Go to System Preferences > then click Users & Groups (or Accounts). After you click the lock icon, enter your admin name and password. Click Login Options > then click Join (or Edit). Select Open Directory Utility > click the lock icon in the Directory Utility window > then enter your admin name and password again. When Directory Utility opens in a new window, go to the menu bar and select Edit > Enable Root User, then enter a password for the root user.
Disabling your computer's root account would not fix the problem, according to several researchers looking into the bug.
Davey Alba is a senior technology reporter for BuzzFeed News and is based in New York.
Contact Davey Alba at firstname.lastname@example.org.
Got a confidential tip? Submit it here.