[Update 11/29: Apple Releases macOS High Sierra Security Update to Fix Root Password Vulnerability, according to MacRumors]
You may have heard rumblings about an incredibly bad bug in macOS High Sierra that allows anyone to walk up to a Mac and log in as a root superuser without needing a password. Now the root superuser has ultimate control of any UNIX-based machine, and that’s the case with this bug; as root, you can pretty much “have your way” with a Mac. This post is to show you how the bug works and how to quickly enable a fix until Apple is able to send out a macOS High Sierra update.
The bug was discovered by developer Lemi Ergin, who found that anyone could sit down at a Mac and get superuser just by using the username “root” and a blank password. It works when trying to access an administrator account on an unlocked Mac, but even worse, it lets anyone log into a locked Mac using “root” and the blank password.
Want to try this on your own Mac? Here’s how (and this works from any Mac account, whether with admin rights or as a guest):
1) Launch System Preferences
2) Click on Users & Groups
3) Click the lock icon in the lower left corner to provide access for making changes to a user account
4) Type “root” as the User Name
5) Move the cursor to the Password field, click on it, but don’t type a password into the blank field
6) Click the “Unlock” button. The Mac should now give you full access to add a new administrator account, delete an account, and so on…
This also works at a Mac login screen, where you can click “Other” to sign in as someone other than the usual user of the Mac, then enter “root” as the user name with no password. That root user can see everything on the Mac, delete files, and wreak havoc…
Apple has responded to the revelation about the bug with a note that says:
“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”
This might not be an issue if you’re the only person with access to your Mac, but if you’re in an environment where someone has unfettered access to your Mac you should set a root account with a password.
Rather than repeat what is said on the Apple support page referenced in the quote above, we suggest that you head to that web page immediately and follow the instructions to enable the root user on your Mac. Note that once Apple has resolved the issue with a patch, you should disable the root user.
It said ‘root’ is already used by another user!