Spacewalk at Roswell Space Center, Roswell, NM, United States. March 29, 2016.

Real men log in as root

Oops, that account should not be enabled

An interesting security vulnerability in MacOS was disclosed earlier today. Rather than going through responsible disclosure, it was posted on Twitter. Which is kind of baller.

The tweet in question:

Baller Tweet

His description left out a few other ways of exploiting this (thanks, 140 280 character limit!). One very notable way is through clicking ‘Other User’ on the lock screen.

As good, responsible, computer owners we all lock our screens when we leave our computers at our desks to go to the bar important off-site business meetings. Sadly, that no longer does anything1. The root user can log in, disable encryption, change your passwords, and basically have a field day.

It looks like somehow the root user gets enabled automatically by MacOS (it is not supposed to be enabled). Even disabling it just has MacOS turn it back on at the next login failure.

There does appear to be a workaround though. You can go to System Preferences ➔ Users & Groups:

Users and Groups

Click the lock icon and enter your password. Then hit “Login Options” and you will see this:

Login Options

Now hit the ‘Join …’ button:

Join

And click ‘Open Directory Utility …’. You’ll now be here:

Directory Utility

Click the lock icon again, enter your password, and then in the ‘Edit’ menu you will be able to change the root user’s password:

Change Password

Changing the password seems to fix it for me. Disabling the root user won’t do much. It will just re-enable itself.

Of course this has been tested on a sample set of one with no real understanding of what the underlying problem is. YMMV. At least for me it’s a way to be able to go to those important “meetings” still.

  1. There might be some prerequisites for this, like having a second user or Guest User on the system.