There's a new macOS vulnerability that hackers within physical reach of your computer can use to gain root access to your system and accounts. Just by using "root" as the username and a blank password on a privilege escalation prompt, someone can install malware on your computer, access hidden files, reset your passwords, and more. Root access gives them the ability to do anything they want.
Right now, this only appears to affect Mac users running macOS High Sierra 10.13.1.
To test if your system could be hacked, go to the "Users & Groups" section in "System Preferences," and click on the lock icon at the bottom of the pane to make changes. Remove your username and replace it with "root" instead. Next, click inside the password box, then hit the "Unlock" button.
You may have to hit "Unlock" a few times to get it to unlock, but it will eventually work unless you manually set a root password on your Mac, which you likely didn't. This is just one example, but any security prompt asking for a username and password can be bypassed in this way, including on the login screen.
To protect yourself from this huge security flaw (CVE-2017-13872), install the Security Update 2017-001 from Apple immediately, which was issued on Wednesday, Nov. 29. Just open up the Mac App Store app, go to the "Updates" tab, then hit "Update" next to the security update. Apple states that "a logic error existed in the validation of credentials" in their description of the update's content.
If you need root user access yourself, you'll have to re-enable and select a new password from the Directory Utility in System Preferences.
Previously, before Apple released the patch, the only way to protect yourself (besides enabling the root user manually) was to make sure you were logged in as administrator and open up the Terminal app, which could be found in the "Utilities" folder in "Applications" or through a Spotlight search for it. Once there, you would do the following.
- Type sudo passwd -u root and hit enter.
- Enter your current admin password and hit enter.
- Enter a new password for root and hit enter.
- Re-enter the root password to confirm and hit enter.
After using the trick above, if you try to use the "root" and blank password to gain root access on a privilege escalation prompt, it won't work, and you'll need to enter your new root password in. After updating with Apple's patch, it won't work either, but you also won't have a root password.
If you used the Terminal trick or created a root password manually, make sure to remember your new root password or keep it in a password manager you can access from other devices. If you should lose it, it will be a difficult process to reset it should you need to.