Yesterday it was revealed that macOS has a critical bug that allows any user with physical access to a device, to login as the root user with no password. I have tested this myself, via the process below:
- Open System Preferences > Users & Groups
- Select the lock [ 🔒 ] in the bottom left-hand corner of the window.
- Clear the pre-filled username, & replace it with “root” & select [Unlock].
- Once the attempt is rejected, try again with the same settings as above. I’ve read from a few different sources that say to do it a few times, before you are allowed in. During my testing, I just had to attempt it twice, & I was in.
In order to fix this issue, you must change the root password through the Directory Utility. Open the app, hit the lock [ 🔒 ] to enter your credentials (or use the root exploit again) then go to Edit > Change Root Password…
NOTE: You MUST choose to change the password. Simply disabling the root account does not correct the issue. If you disable the account, running through the same process for the exploit reactivates the root account without a password.
Bryan Krebs has made a post about this as well: Krebs on Security: MacOS High Sierra Users: Change Root Password Now.
And since creating pretty logos for exploit seems to be a thing now…: