Huge security flaw leaves macOS High Sierra open to attack

By

macOS High Sierra
Apple let a major security flaw slip through the cracks.
Photo: Apple

A serious security flaw in macOS High Sierra has been exposed that allows anyone to gain full access to affected Macs without knowing the computer’s administrative password.

The bug appears to let someone log into the admin account on a Mac by simply typing “root” as the username while leaving the password field blank. Attackers could potentially exploit the bug to access locked Macs and gain access to personal information.

Developer Lemi Orhan Ergin was the first to spot the flaw and posted about it on Twitter. It appears that Apple currently doesn’t have a fix for it, or wasn’t even aware of the problem.

You can see the security bug in action yourself. To replicate it, open System Preferences and go to the Users & Groups section. Click the lock to bring up the login box. Then type “root” in the username field, click the password filed but leave it blank. Now click unlock and it should open up full access to the administrator account.

Apple released the following statement about the security flaw this afternoon:

“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac.”

As a quick fix, Apple recommends following its guide on how to enable the Root User and set a password for it. You can set yours by opening Terminal, then type in the following command: “sudo passwd -u root”. After that just enter your password and then a new password for the root users and you should be secure.

Newsletters

Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.