Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated]

There appears to be a serious bug in macOS High Sierra that enables the root superuser on a Mac with a blank password and no security check.

The bug, discovered by developer Lemi Ergin, lets anyone log into an admin account using the username "root" with no password. This works when attempting to access an administrator's account on an unlocked Mac, and it also provides access at the login screen of a locked Mac.

rootbug
To replicate, follow these steps from any kind of Mac account, admin or guest:

1. Open System Preferences
2. Choose Users & Groups
3. Click the lock to make changes
4. Type "root" in the username field
5. Move the mouse to the Password field and click there, but leave it blank
6. Click unlock, and it should allow you full access to add a new administrator account.

At the login screen, you can also use the root trick to gain access to a Mac after the feature has been enabled in System Preferences. At the login screen, click "Other," and then enter "root" again with no password.

This allows for admin-level access directly from the locked login screen, with the account able to see everything on the computer.

It appears that this bug is present in the current version of macOS High Sierra, 10.13.1, and the macOS 10.13.2 beta that is in testing at the moment. It's not clear how such a significant bug got past Apple, but it's likely this is something that the company will immediately address.

Until the issue is fixed, you can enable a root account with a password to prevent the bug from working. We have a full how to with a complete rundown on the steps available here.

Update: An Apple spokesperson told MacRumors that a fix is in the works:

"We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section."

Update 2: Apple released a security update to address the vulnerability on Wednesday morning. The update can be downloaded on all machines running macOS 10.3.1 using the Software Update mechanism in the Mac App Store. Apple says it will automatically push out the update to all users who have not installed it later in the day.

In a statement provided to MacRumors, Apple said the company's engineers began working on a fix as soon as the problem was discovered. Apple also apologized for the vulnerability and said its development process is being audited to prevent something similar from happening in the future.

Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.

When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.

All users should download the new security update immediately.

Top Rated Comments

Quu Avatar
53 months ago
Honestly, what the hell Apple?
Score: 112 Votes (Like | Disagree)
Mr. Donahue Avatar
53 months ago
PUll it together Craig. You’re embarrassing yourself and Apple with iOS 11 and now this? What a shame.
Score: 82 Votes (Like | Disagree)
hamiltonDSi Avatar
53 months ago
10 years ago I started buying Apple products to avoid this kind of bugs.
Funny how things change :)

EDIT one day later :

Apple pushed an update with a fix under 24 hours, this is why i'm still using Apple products :)
Score: 71 Votes (Like | Disagree)
turbineseaplane Avatar
53 months ago
We need an "Even Higher Sierra" release, and only that, this coming year.

High Sierra is just stoned enough that she's letting everyone in...
Maybe if Sierra gets a bit higher, paranoia, and security concerns, might kick in.
Score: 53 Votes (Like | Disagree)
M.PaulCezanne Avatar
53 months ago
But emoji karaoke is working well on iPhone X. Whew!
Score: 52 Votes (Like | Disagree)
rpe33 Avatar
53 months ago
I am Root.
Score: 39 Votes (Like | Disagree)

Popular Stories

airtag in hand

Apple AirTag Linked to Increasing Number of Car Thefts, Canadian Police Report

Friday December 3, 2021 7:10 am PST by
Apple's AirTags are being used in an increasing number of targeted car thefts in Canada, according to local police. Outlined in a news release from York Regional Police, investigators have identified a new method being used by thieves to track down and steal high-end vehicles that takes advantage of the AirTag's location tracking capabilities. While the method of stealing the cars is largely ...
apple top apps games 2020

Apple Reveals the Most Downloaded iOS Apps and Games of 2021

Thursday December 2, 2021 12:05 am PST by
Along with naming its editorial picks for the top apps and games of 2021, Apple today shared charts for the most downloaded free and paid apps and games in the United States across 2021. The number one most downloaded free iPhone app was TikTok, followed by YouTube, Instagram, Snapchat, and Facebook. The top paid iPhone apps included Procreate Pocket, HotSchedules, The Wonder Weeks, and Touch...
m3 feature black

Macs With 'M3' Chips Expected to Use TSMC's 3nm Chip Technology With Test Production Reportedly Underway

Thursday December 2, 2021 7:36 am PST by
Apple's chipmaking partner TSMC has kicked off pilot production of chips built on its 3nm process, known as N3, according to Taiwanese supply chain publication DigiTimes. The report, citing unnamed industry sources, claims that TSMC will move the process to volume production by the fourth quarter of 2022 and start shipping 3nm chips to customers like Apple and Intel in the first quarter of...
telsa cyberwhistle

Elon Musk Urges Customers to Buy 'Tesla Cyberwhistle' Instead of Apple Polishing Cloth

Wednesday December 1, 2021 4:01 am PST by
Tesla CEO Elon Musk has encouraged customers to buy the "Cyberwhistle" for $50 instead of Apple's much-discussed Polishing Cloth. The product page, which Musk shared on Twitter on Tuesday evening, offers a limited edition stainless steel whistle with the same distinctive design of the Tesla Cybertruck:Inspired by Cybertruck, the limited-edition Cyberwhistle is a premium collectible made from ...
app store awards 2021

Apple Picks the 2021 App Store Award Winners, Highlighting the Best Apps of the Year

Thursday December 2, 2021 12:01 am PST by
Apple today shared its 2021 App Store Award winners, highlighting the 15 best apps and games selected by Apple's global App Store editorial team. The top apps were chosen for their quality, innovative technology, creative design, and positive cultural impact. "The developers who won App Store Awards in 2021 harnessed their own drive and vision to deliver the best apps and games of the year --...
MBA Mock White Front Blue

2022 MacBook Air Getting Major Display Upgrade With One Drawback

Friday December 3, 2021 3:01 am PST by
Apple's next-generation MacBook Air is reportedly set to bring over many of the new MacBook Pro's features, with one noticeable omission, according to recent reports. The latest MacBook Pro models feature a mini-LED "Liquid Retina XDR" display with deep blacks and support for up to 1,600 nits peak brightness. The display also features Apple's "ProMotion" technology, which is capable of...