Security: macOS High Sierra bug lets you log in as 'root'... without a password
If you thought that you needed a password to access a password-protected Mac, think again. A massive security hole has been discovered in macOS High Sierra that makes it possible to log in with admin rights without the need to provide a password.
The problem appears to be specific to High Sierra, and the ease with which it is possible to gain unfettered access to a system has many people -- understandably -- concerned.
Logging in with administrator rights requires little more than entering root as the username, and leaving the password field empty. It really is that simple. While there are obvious concerns about the vulnerability enabling people to access a Mac, people are also worried about the implications for malware attacks.
On Twitter, it seems as though Apple was fairly swift to respond after software engineer Lemi Orhan Ergin brought the matter to the company's attention:
You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
After 12 hours, the company invited him to get in touch so they could talk about the problem more:
Let's take a closer look at what's happening together. Send us a DM that includes your Mac model along with your macOS version. We'll meet up with you there. https://t.co/GDrqU22YpT
— Apple Support (@AppleSupport) November 28, 2017
But it turns out that the problem was highlighted in Apple's developer forums two weeks ago. User chethan177 explained:
If you're unable to login at startup using username: root and empty password, then login with your existing account (standard user).
Again, head over to System Preferences>Users & Groups. Click on the Lock Icon. When prompted for username and password, type username: root and leave the password empty. Press enter. This might throw an error, but try again immediately with the same username: root and empty password. This should unlock the Lock Icon.
Apple now says that it is working on a fix for what is a serious security issue. The company issued a statement saying:
We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the "Change the root password" section.