Update. Apple has published a security update to close this hole. [2017-11-29T18:00Z]
What’s the maddest, baddest, craziest, can-you-believe-it, how-did-that-happen security blunder of recent memory?
Companies contending for the top three spots in the past three months surely include:
- Uber. Suffered a breach, paid the hackers off, pretended it never happened, got found out anyway.
- Equifax. Permitted crooks to carry off personal data, including social security numbers, for about half of US adults .
- Apple. Let you read off the actual password of an encrypted device simply by clicking
[Show password hint].
Well, Apple just did it again, and this one is even zanier that before – so Cupertino may well be back in first place.
The default root login password is…
In High Sierra, the latest version of MacOS (currently at 10.13.1), you can easily guess the password for root, the all-powerful system administration account.
The average number of guesses you need is…
…ONE.
In fact, strictly speaking you need ZERO guesses, because you almost certainly KNOW the password already.
Just login as root with the password “”, by which we mean no password at all – just hit [Enter]. (You may need to try more than once.)
We’re guessing either that Apple didn’t bother to set a password for root because you don’t usually login or authenticate as root, or that the authentication dialog incorrectly sets a blank password along the way.
The reason you don’t usually need to login as root is that macOS gets you to setup one or more regular accounts with Administrator powers, so these accounts can perform root-like activities as needed, by putting in their own passwords.
In theory, this is good for security because: you aren’t logged in as an administrator all the time; you don’t need to share a single root password amongst multiple administrators; and there’s accountability because admin activities are tied back to the user who initiated them.
In practice, of course, you need to have a password on the root account if it’s active, and ideally it should be randomly set when you configure the system, so no one knows it. (It’s much easier to stop someone using a password by mistake, or against policy, if they don’t have that password in the first place.)
Given that Apple doesn’t expect you to use the root account directly, it’s astonishing that you can so easily login as root at all, let alone with a blank password.
This is an epic fail by Apple, and all the world knows about it now, because it was disclosed publicly on Twitter rather than privately to Apple.
What to do?
You can easily set a strong root password of your own, so no one else knows it or can guess it.
The good news is that there’s an easy and safe way to check and fix this problem.
Open a Terminal window and enter the command passwd root, which is how you set the root password in the first place.
Don’t worry – you can’t set a new password this way unless you already know the old one, so just hit [Enter] three times:
$ passwd root Old Password: [just hit enter to assume that it's blank] New Password: [hit enter again to leave it blank if it already is] Retype New Password: [hit enter a third time]
Note that if the old password isn’t blank, you don’t get an error message until the end, so if you see an error like this…
passwd: authentication token failure
…then you don’t have a blank root password.
However, it seems that this bug doesn’t reveal itself immediately – we’ve heard speculation that it’s by accessing the root account and failing that you trigger this problem in the first place – so try the above process several times in a row. (You can get the passwd root command back by pressing the up arrow key, which replays previous commands in the Bash shell.)
If, on any attempt, you don’t see any message at all, then your root password has been set to the empty string, and you need to change that.
Run the same command again, but this time put in [Enter] as the old password and choose a proper password for root:
$ passwd root Old Password: [just hit enter] New Password: ************** Retype New Password: *************** $
Technically, you don’t even need to keep a record of the password you typed in (though you can’t just type random garbage because you need to put the same password in twice).
You’ll still administer your Mac with your regular Administrator-enabled account by typing in your regular password when needed, just like before.
Check your Mac, and fix this now!
Note. We think that the default setup of macOS prevents you using this trick remotely. You must have physical access to the computer. Also, if FileVault (full disk encryption) is turned on and the Mac is shut down rather than logged off or locked, you have to enter the disk password before you can get at a login prompt at all.
FreedomISaMYTH
stop with your cruel sense of humor, this cannot be true… :(
Paul Ducklin
Well, here’s a real-world test. Open System Preferences. Go to Security & Privacy, a preferences pane that is locked. Click the padlock. At the security popup required to authorise unlocking these settings, change your own username to root and hit [Enter] twice (or click in the empty password field and then click [Unlock]). On my Mac, it unlocked. Just like that.
OK, if my Mac’s unattended and a passer-by can access System Prefs then I’m already in security trouble… but this makes it much worse. Why have a password dialog at all if it can be bypassed at will?
Small Axe
Okay….. so that was easy. Can someone do this same trick remotely? I have been having all sorts of problems with my mac in the last month and this is my 4th brand new freaking macbook pro in as much time. I’m glad that apple will allow a return in 14 days with no questions asked but I’m staring to get sick of going to the apple store and being told that im an idiot and that there is no way that the problem is with my apple product and I must have done something wrong and if the problem continues I should call the FBI. (True story) WTF! apple
Paul Ducklin
We discussed this in the article – see the Note at the end:
“We think that the default setup of macOS prevents you using this trick remotely.”
As you say that you are “having all sorts of problems” without explaining what they are, or what has been done to try to fix them so far, I’m afraid that it’s impossible to comment on what might have caused them.
Olli Rajala
https://forums.developer.apple.com/thread/79235#277225
There was mention about that issue on Apple’s own forums already at 13th of November…
Dick Kennedy (@dick_kennedy)
So this requires that the attacker have physical access to a running and unlocked machine. It only affects the latest version of the OS and will be patched pronto. In other words, virtually no-one will be affected by this. And you think this will put Apple ahead of Equifax and Uber in the cock-up stakes? Let’s keep a sense of proportion shall we?
Paul Ducklin
In my tests, I was able to login as root from the login screen, i.e. to take over a locked computer as the superuser. (I realised it had worked when I saw the “Setting up your Mac” screen for a short while, followed by the default High Sierra mountain background – my own account has the Hawaiian Print backdrop. I opened the Terminal app and there I was at a ‘#’ prompt. Just like that.)
As for “it will be patched pronto”…let’s wait and see. Apple’s official policy is “no comment at all until the fix is out”, so your presumption that the fix will happen really quickly falls closer to the category of a religious belief (one that by definition cannot be tested) than a scientific opinion (unless you have heard something from Apple that I have not).
So for all that there was an element of humour in the comparison with Uber and Equifax, the question was to find the most how-could-that-have-happened flaw, not the most extensive, hurtful, dangerous, and so on. And I think you might reasonably expect the bar to be higher at Apple than at, well, at the taxi company that isn’t.
As for “virtually no one”…I’ve seen credible estimates that about 30% of Mac users have already upgraded on 10.13 (High Sierra), or bought a Mac recently enough to have had it pre-installed. I’d call that “literally a lot” rather than “virtually no one”…
Paul Ducklin
Eating my words (sort of) – patch came out at 16:20 UTC today (Wednesday 2017-11-29). Just got Apple’s email.
Sampo J
The instructions for checking the vulnerability are incomplete: The FIRST time you do “passwd root” you get the authentication error, but the SECOND time it goes through. Evidently the first time somehow activates the account. Only if the second time also shows the error, then you have a password set. (The vulnerability can be exploited even if you haven’t run the command.)
Paul Ducklin
Hmmm. I can’t easily retest that myself (haven’t got macOS 10.13 to work in a VM yet and don’t have a spare Mac). By the time I figured out the passwd root test, I had already logged in as root at least once, and so I can no longer figure what was needed, if anything, to make it so.
Are you sure that it’s “one for the money, two for the show”, or could it be “one, two, three, dot dot dot (N-1) for the money, N for the show”?
I’ll edit the article while acknowledging the uncertainty…thanks for the note.
PS. Has anyone seen anything concrete and official from Apple yet [2017-11-29T16:00Z]?
Paul Ducklin
Just got Apple’s Security Advisory SA-2017-11-29-1 – problem “addressed with improved credential validation” :-)
Sampo J
We tested on several Macs in our office, second try always did the trick. You could reset the state by disabling the root account, then again it took two tries.
Security Update 2017-001 was just released fixing the issue