A vulnerability found in macOS High Sierra that allows anyone to access your Mac without any password. Yes, a developer name “Lemi Orhan Ergin” contacted Apple publicly through a tweet that anyone and log in as root user to macOS High Sierra Mac with an empty password.
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
Advertisement
How to fix macOS High Sierra root bug
Apple has confirmed macOS High Sierra root bug and said we are working on this. So, at the moment until Apple releases an update to fix this bug follow the given steps below to enable root user and set a password for it.
UPDATE: Apple Released a Patch to Root Vulnerability
Apple quickly released an update for macOS High Sierra with a fix for root login vulnerability. An update is available to download for High Sierra 10.13.1, according to Apple this root login vulnerability does not impact 10.12.6 or earlier.
To update macOS right now, go to App Store and download the latest update for High Sierra. Don’t wait for the auto-update notification, just do it quickly.
Here are official root bug notes:
Security Update 2017-001
Released November 29, 2017
Directory Utility
Available for: macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
CVE-2017-13872
When you install Security Update 2017-001 on your Mac, the build number of macOS will be 17B1002. Learn how to find the macOS version and build number on your Mac.
If you require the root user account on your Mac, you will need to re-enable the root user and change the root user’s password after this update.
Temporary fix macOS High Sierra root bug
In case If you aren’t able to install this update, temporarily to save yourself from this security problem set a password for the root user on your Mac. Follow the given steps below.
- Click the Apple icon top-left corner and select “System Preference” option from the menu.
- On the System Preferences window click the “Users & Groups” option.
- At the left-bottom corner, you need to click the Lock icon, and Administrator username and password are required to make any users & groups related changes.
- After unlocking the Users & Groups preferences, click the “Login Options” near the bottom-left corner of the window.
- Now, click the “Join…” button on the left side.
- On the next pop-up window click the “Open Directory Utility…” button.
- On the directory utility window, you need to click the Lock icon available at bottom-left corner.
- Enter the correct Administrator Username & Password and hit the “Modify Configuration” button. Now you can enable the root user.
- Click the “Edit” menu from the top of the screen and then select “Enable Root User” option.
- If the user “root” is already enabled then from the “Edit” menu select “Change Root Password” option.
- Type a Password for the Root user and hit OK button to save it.
- Next click the Lock button to