MacOS High Sierra has major security issue - allows logging in as root without password

I get a feeling this is going to be really, really bad… I wish this had leaked in time to make today’s news!


Oh fun times.

So it works on fresh out of the box MacOS 10.13 installs, but if you have set a Root password then this will not work.

So this will be a problem for most everyday users, the ones that don’t think too much about the maintenance of a PC.


I mean setting a root password is definitely not part of the average user’s set up so yeah, I can see this being pretty serious. I guess the fact that it seems to only work from the system preferences menu is the saving grace at least.

It’s surprising to me how apple manages to f**k up so bad with software.
iOS 11 pretty much launched in alpha state as well.

The “just works” days of iOS and MacOS are long gone.


Apparently this vulnerability was used as a solution to troubleshoot a login issue.


yes, long gone… i started to hate my mac mini 3 updates ago. its fine with linux now.

Beginning to appreciate the annoying forcing of passwords/root in linux. Wonder how something like this slips by ?

Perhaps many a family support person will be saved by this over the holidays.

Son! I cant get on my macbook anymore. The genius folk recommended to have it reinstalled…

  • Hold my eggnog!



Friends don’t let friends upgrade MacOS/OS X before the .2 release.


Fixed that for you /s


True, but if they have to use it for work or whatever…

1 Like

The Register (I know it is not liked… people like their tech news super cereal for some reason) did a piece on why this happened.

Mac security specialist and Synack chief researcher Patrick Wardle explained the programming cockup in more detail, summarizing it as:
For accounts that are disabled (i.e. don’t have ‘shadowhash’ data) macOS will attempt to perform an upgrade. During this upgrade, od_verify_crypt_password returns a non-zero value. The user (or attacked) specified password is then ‘upgraded’ and saved for the account.
It appears that od_verify_crypt_password should fail (maybe it does and the check of the return code for 0x0 is just inverted?) Or perhaps the call to odm_RecordVerifyPassword assumes can only be called in a validated/authenticated context?

It has since been patched, but in doing so they broke file sharing to some degree.

Updated on 30 November to add
Oops. It seems that also, in its rush to release a patch, Apple may have bricked filesharing for some users. According to a support document, “If you experience issues with authenticating or connecting to file shares on your Mac” then you should update your network authentication settings in the Terminal with sudo /usr/libexec/configureLocalKDC.