Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated]

There appears to be a serious bug in macOS High Sierra that enables the root superuser on a Mac with a blank password and no security check.

The bug, discovered by developer Lemi Ergin, lets anyone log into an admin account using the username "root" with no password. This works when attempting to access an administrator's account on an unlocked Mac, and it also provides access at the login screen of a locked Mac.

rootbug
To replicate, follow these steps from any kind of Mac account, admin or guest:

1. Open System Preferences
2. Choose Users & Groups
3. Click the lock to make changes
4. Type "root" in the username field
5. Move the mouse to the Password field and click there, but leave it blank
6. Click unlock, and it should allow you full access to add a new administrator account.

At the login screen, you can also use the root trick to gain access to a Mac after the feature has been enabled in System Preferences. At the login screen, click "Other," and then enter "root" again with no password.

This allows for admin-level access directly from the locked login screen, with the account able to see everything on the computer.

It appears that this bug is present in the current version of macOS High Sierra, 10.13.1, and the macOS 10.13.2 beta that is in testing at the moment. It's not clear how such a significant bug got past Apple, but it's likely this is something that the company will immediately address.

Until the issue is fixed, you can enable a root account with a password to prevent the bug from working. We have a full how to with a complete rundown on the steps available here.

Update: An Apple spokesperson told MacRumors that a fix is in the works:

"We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section."

Update 2: Apple released a security update to address the vulnerability on Wednesday morning. The update can be downloaded on all machines running macOS 10.3.1 using the Software Update mechanism in the Mac App Store. Apple says it will automatically push out the update to all users who have not installed it later in the day.

In a statement provided to MacRumors, Apple said the company's engineers began working on a fix as soon as the problem was discovered. Apple also apologized for the vulnerability and said its development process is being audited to prevent something similar from happening in the future.

Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.

When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.

All users should download the new security update immediately.

Top Rated Comments

Quu Avatar
61 months ago
Honestly, what the hell Apple?
Score: 112 Votes (Like | Disagree)
Mr. Donahue Avatar
61 months ago
PUll it together Craig. You’re embarrassing yourself and Apple with iOS 11 and now this? What a shame.
Score: 82 Votes (Like | Disagree)
hamiltonDSi Avatar
61 months ago
10 years ago I started buying Apple products to avoid this kind of bugs.
Funny how things change :)

EDIT one day later :

Apple pushed an update with a fix under 24 hours, this is why i'm still using Apple products :)
Score: 71 Votes (Like | Disagree)
turbineseaplane Avatar
61 months ago
We need an "Even Higher Sierra" release, and only that, this coming year.

High Sierra is just stoned enough that she's letting everyone in...
Maybe if Sierra gets a bit higher, paranoia, and security concerns, might kick in.
Score: 53 Votes (Like | Disagree)
M.PaulCezanne Avatar
61 months ago
But emoji karaoke is working well on iPhone X. Whew!
Score: 52 Votes (Like | Disagree)
rpe33 Avatar
61 months ago
I am Root.
Score: 40 Votes (Like | Disagree)

Popular Stories

cook sept 2020 event

Gurman: Apple Preparing Pre-Recorded iPhone 14 and Apple Watch Series 8 Event

Sunday August 7, 2022 6:13 am PDT by
Apple has "started to record" its virtual September event, where it's expected to announce the upcoming iPhone 14 lineup, the Apple Watch Series 8, and a new "rugged" Apple Watch model, according to Bloomberg's Mark Gurman. Writing in his latest Power On newsletter, Gurman says the event, which is expected to take place in the early part of September, is already under production, implying...
iPhone 14 Lineup Feature Purple

Color Options for All iPhone 14 Models: Everything We Know

Monday August 8, 2022 3:59 am PDT by
The iPhone 14 and iPhone 14 Pro models are rumored to be available in a refreshed range of color options, including an all-new purple color. Most expectations about the iPhone 14 lineup's color options come from an unverified post on Chinese social media site Weibo earlier this year. Overall, the iPhone 14 and iPhone 14 Pro's selection of color options could look fairly similar to those of the ...
ios 16 beta 5 battery percent

iOS 16 Beta 5: Battery Percentage Now Displayed in iPhone Status Bar

Monday August 8, 2022 10:43 am PDT by
With the fifth beta of iOS 16, Apple has updated the battery icon on iPhones with Face ID to display the specific battery percentage rather than just a visual representation of battery level. The new battery indicator is available on iPhone 12 and iPhone 13 models, with the exception of the 5.4-inch iPhone 12/13 mini. It is also available on the iPhone 11 Pro and Pro Max, XS and XS Max, and...
iOS 16 battery percentage

Apple Limiting iOS 16 Beta 5 Battery Percentage Display to Select iPhones: Here Are the Supported Devices

Tuesday August 9, 2022 2:51 am PDT by
Apple this week brought back one of the most highly requested features from iOS users since the launch of the iPhone X in 2017: the ability to see your battery percentage directly in the status bar. Ever since the launch of the iPhone X with the notch, Apple has not allowed users to show their battery percentage directly in the status bar, forcing them to swipe down into Control Center to...
ios 16 battery indicator 2

Everything New in iOS 16 Beta 5: Battery Percentage in Status Bar, Find My Changes and More

Monday August 8, 2022 12:53 pm PDT by
Apple today seeded the fifth beta of iOS 16 to developers for testing purposes, introducing some small but notable changes to the iOS operating system. Subscribe to the MacRumors YouTube channel for more videos. We've rounded up everything new in the fifth beta below. Battery Percentage in Status Bar The battery icon in the status bar now displays the exact battery percent, a feature that ...
iphone 14 pro max camera bump compared lipilipsi 16 9

Bigger iPhone 14 Pro Max Camera Bump Shown Alongside iPhone 13 Pro Max

Monday August 8, 2022 4:33 am PDT by
The camera bump on the upcoming iPhone 14 Pro Max is expected to be the largest rear lens housing Apple has ever installed on its flagship smartphones, and a new photo offers a rare glimpse at just how prominent it is compared to Apple's predecessor device. iPhone 14 Pro Max dummy (left) vs iPhone 13 Pro Max All iPhone 14 models are expected to see upgrades to the Ultra Wide camera on the...
airpods pro black background

Beyond iPhone 14: Five Apple Products Expected to Launch Later This Year

Monday August 8, 2022 9:43 am PDT by
While the iPhone 14 and Apple Watch Series 8 are expected to be announced in September as usual, there are several more Apple products rumored to launch later this year, including new iPad and Mac models and more. Beyond the iPhone and Apple Watch, we've put together a list of five Apple products that are most likely to be unveiled by the end of 2022. Second-Generation AirPods Pro Apple...