A major bug has been discovered in macOS High Sierra that can allow anyone to log in as root without a password.
The bug was discovered by Lemi Orhan Ergin who tweeted about it this morning:
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
The bug has been verified and it is a massive security risk. It appears that an attempt to login as root with no password will enable the root user if it's not already enabled and give you access to the device. It appears to work on macOS 10.13, 10.13.1, and 10.13.2 beta.
To try the bug for yourself: ● Open System Preferences ● Choose Users & Groups from the System Preferences window ● Click the lock at the bottom left of the window ● Enter root as the username and hit enter or click Unlock.
It's believed that the first time you click Unlock the root account is enabled and the second time you click unlock you gain access. However, some users report needing to click a few more times. Others report needing to move the cursor into the password field first.
Until Apple releases a fix, you should enable the root user on your machine and give it a non-blank password. You can find instructions on how to do so below. This will prevent any malicious login attempts.
Apple says its working on a software update which should be available soon. Please follow iClarified on Twitter, Facebook, or RSS for updates.
Add Comment
Would you like to be notified when someone replies or adds a new comment?
Yes (All Threads)
Yes (This Thread Only)
No
Notifications
Would you like to be notified when we post a new Apple news article or tutorial?
Yes
No
Comments (4)
Comments are closed for this article.
0
Billy - November 29, 2017 at 5:19pm
Apple already released an update.
0
D4xM4Nx - November 29, 2017 at 9:23am
It's great that we've got a method to cover ourselves until Apple issues an update. I'm quite the security paranoid, so I enabled the root password feature first time since I got my MBP... Remember to create hard to guess passwords.
0
boom bomm - November 29, 2017 at 6:05am
freakin awesome
0
Jon Zubin - November 29, 2017 at 2:25am
Root with Blank password reminds me of early Unix running on a PDP 11-45 in the early seventies
![Apple Releases macOS Tahoe 26.3 Beta 3 to Developers [Download]](/images/news/99750/99750/99750-160.jpg "Apple Releases macOS Tahoe 26.3 Beta 3 to Developers [Download]")
![Apple Seeds Third Betas of watchOS 26.3, tvOS 26.3, and visionOS 26.3 to Developers [Download]](/images/news/99748/99748/99748-160.jpg "Apple Seeds Third Betas of watchOS 26.3, tvOS 26.3, and visionOS 26.3 to Developers [Download]")
![Apple Releases iOS 26.3 Beta 3 and iPadOS 26.3 Beta 3 to Developers [Download]](/images/news/99746/99746/99746-160.jpg "Apple Releases iOS 26.3 Beta 3 and iPadOS 26.3 Beta 3 to Developers [Download]")
![Apple Releases iOS 26.2.1 and iPadOS 26.2.1 With Support for New AirTag [Download]](/images/news/99744/99744/99744-160.jpg "Apple Releases iOS 26.2.1 and iPadOS 26.2.1 With Support for New AirTag [Download]")
![Apple's 13-Inch M5 iPad Pro (Silver) Hits New All-Time Low at $1,149.99 [Deal]](/images/news/99729/99729/99729-160.jpg "Apple's 13-Inch M5 iPad Pro (Silver) Hits New All-Time Low at $1,149.99 [Deal]")
![Apple's 13-Inch M5 iPad Pro (1TB) Hits New All-Time Low at $1,706 [Deal]](/images/news/99716/99716/99716-160.jpg "Apple's 13-Inch M5 iPad Pro (1TB) Hits New All-Time Low at $1,706 [Deal]")
![Apple Pro Display XDR Drops to $3,999 With Massive $1,000 Discount [Deal]](/images/news/99684/99684/99684-160.jpg "Apple Pro Display XDR Drops to $3,999 With Massive $1,000 Discount [Deal]")
![Beats iPhone 17 Pro Kickstand Case Drops to $20.99, 64% Off [Deal]](/images/news/99680/99680/99680-160.jpg "Beats iPhone 17 Pro Kickstand Case Drops to $20.99, 64% Off [Deal]")
