Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated]

There appears to be a serious bug in macOS High Sierra that enables the root superuser on a Mac with a blank password and no security check.

The bug, discovered by developer Lemi Ergin, lets anyone log into an admin account using the username "root" with no password. This works when attempting to access an administrator's account on an unlocked Mac, and it also provides access at the login screen of a locked Mac.

rootbug
To replicate, follow these steps from any kind of Mac account, admin or guest:

1. Open System Preferences
2. Choose Users & Groups
3. Click the lock to make changes
4. Type "root" in the username field
5. Move the mouse to the Password field and click there, but leave it blank
6. Click unlock, and it should allow you full access to add a new administrator account.

At the login screen, you can also use the root trick to gain access to a Mac after the feature has been enabled in System Preferences. At the login screen, click "Other," and then enter "root" again with no password.

This allows for admin-level access directly from the locked login screen, with the account able to see everything on the computer.

It appears that this bug is present in the current version of macOS High Sierra, 10.13.1, and the macOS 10.13.2 beta that is in testing at the moment. It's not clear how such a significant bug got past Apple, but it's likely this is something that the company will immediately address.

Until the issue is fixed, you can enable a root account with a password to prevent the bug from working. We have a full how to with a complete rundown on the steps available here.

Update: An Apple spokesperson told MacRumors that a fix is in the works:

"We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section."

Update 2: Apple released a security update to address the vulnerability on Wednesday morning. The update can be downloaded on all machines running macOS 10.3.1 using the Software Update mechanism in the Mac App Store. Apple says it will automatically push out the update to all users who have not installed it later in the day.

In a statement provided to MacRumors, Apple said the company's engineers began working on a fix as soon as the problem was discovered. Apple also apologized for the vulnerability and said its development process is being audited to prevent something similar from happening in the future.

Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.

When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.

All users should download the new security update immediately.

Related Forum: macOS High Sierra

Top Rated Comments

Quu Avatar
68 months ago
Honestly, what the hell Apple?
Score: 112 Votes (Like | Disagree)
Mr. Donahue Avatar
68 months ago
PUll it together Craig. You’re embarrassing yourself and Apple with iOS 11 and now this? What a shame.
Score: 82 Votes (Like | Disagree)
hamiltonDSi Avatar
68 months ago
10 years ago I started buying Apple products to avoid this kind of bugs.
Funny how things change :)

EDIT one day later :

Apple pushed an update with a fix under 24 hours, this is why i'm still using Apple products :)
Score: 71 Votes (Like | Disagree)
turbineseaplane Avatar
68 months ago
We need an "Even Higher Sierra" release, and only that, this coming year.

High Sierra is just stoned enough that she's letting everyone in...
Maybe if Sierra gets a bit higher, paranoia, and security concerns, might kick in.
Score: 53 Votes (Like | Disagree)
M.PaulCezanne Avatar
68 months ago
But emoji karaoke is working well on iPhone X. Whew!
Score: 52 Votes (Like | Disagree)
rpe33 Avatar
68 months ago
I am Root.
Score: 40 Votes (Like | Disagree)

Popular Stories

iPhone trade in

Apple Adjusts Trade-In Values for iPhones, Macs, and More

Wednesday January 25, 2023 9:40 am PST by
After announcing new Mac and HomePod models last week, Apple adjusted its trade-in values for select devices in the United States. iPhone trade-in values decreased by up to $80, and most Android smartphones also went down. Mac trade-in values remained unchanged or increased by up to $40 depending on the model, while some Apple Watch models increased in value and others decreased. Trade-in...
iphone 15 pro wifi 6e

Internal Apple Document From Leaker 'Unknownz21' Confirms Wi-Fi 6E Will Be Limited to iPhone 15 Pro Models

Friday January 27, 2023 10:01 am PST by
Multiple rumors have suggested that the next-generation iPhone 15 models will adopt the Wi-Fi 6E standard that Apple has already introduced in the iPad Pro and MacBook Pro, and now a leaked document appears to confirm Apple's plans. Sourced from researcher and Apple leaker Unknownz21 (@URedditor), the document features diagrams of the iPhone 15's antenna architecture. D8x refers to the...
iPhone 14 Pro Purple Side Perspective Feature Purple

iPhone 15 Expected to Feature Wi-Fi 6E Like Latest Macs and iPad Pro

Wednesday January 25, 2023 5:39 pm PST by
The iPhone 15 will support Wi-Fi 6E, according to a research note shared this week by Barclays analysts Blayne Curtis and Tom O'Malley. The analysts did not specify whether the feature will be available on all models or limited to the Pro models. Apple has added Wi-Fi 6E support to a handful of devices so far, including the latest 11-inch and 12.9-inch iPad Pro, 14-inch and 16-inch MacBook...
maxresdefault

Hands-On With the New M2 Max MacBook Pro

Thursday January 26, 2023 12:14 pm PST by
New 14-inch and 16-inch MacBook Pro models with the latest M2 Pro and M2 Max chips are available in Apple retail stores and are already in the hands of customers, and we picked up one of the new M2 Max machines to answer all of the questions MacRumors readers considering a purchase might have. Subscribe to the MacRumors YouTube channel for more videos. Yesterday, we asked MacRumors fans on...
Mac Pro 2019 Apple

Mac Pro Enthusiasts Raise Concerns Over Upgrade Limitations of Apple Silicon

Thursday January 26, 2023 6:30 am PST by
The new Mac Pro coming later this year is expected to feature the same spacious modular design as the 2019 model, but with fresh concerns over its lack of upgradeability surfacing, some users are beginning to wonder what the transition away from Intel architecture actually means for Apple's most powerful Mac. The current Intel Mac Pro that Apple sells is popular with creative professionals...
iOS 16

iOS 16.3 for iPhone Launching Next Week With These 4 New Features

Friday January 20, 2023 11:43 am PST by
In a recent press release, Apple confirmed that iOS 16.3 will be released to the public next week. The software update will be available for the iPhone 8 and newer and includes a handful of new features, changes, and bug fixes. Below, we've recapped bigger features in iOS 16.3, including support for physical security keys as a two-factor authentication option for Apple ID accounts, worldwide ...
iPhone 14 Pro Purple Side Perspective Feature Purple

iPhone 15 Pro Rumored to Have These 8 Features

Friday January 27, 2023 2:11 pm PST by
Apple's next-generation iPhone 15 Pro and iPhone 15 Pro Max are expected to be announced in September as usual. Already, rumors suggest the devices will have at least eight exclusive features not available on the standard iPhone 15 and iPhone 15 Plus. An overview of the eight features rumored to be exclusive to iPhone 15 Pro models:A17 chip: iPhone 15 Pro models will be equipped with an A17...