A newly discovered bug in macOS High Sierra enables the root superuser on a Mac with a blank password and no security check, essentially giving anyone full access to your Mac.
Apple is likely already working on a fix, but in the meantime, there's a temporary workaround -- enabling the root user with a password. Here's how:
From there, you can enter a password for the root user account, which prevents it from being accessed with a blank password, which is what the current bug allows to happen.
Disabling the root user account again follows the same steps, but at the "Edit" portion of the process, you'll select "Disable Root User" to remove the option. Until the bug is fixed, though, you'll want to leave the root user account intact to prevent it from being accessed without a password.
To further protect your Mac, you can also disable guest accounts, though this is not a necessary step with a root password enabled. Guest accounts can be disabled by going to System Preferences > Users & Groups and choosing "Guest User" after entering your admin password. Disable "Allow guests to log in to this computer."
Update: Apple has released a security update to fix this issue, and all macOS High Sierra users should apply the update as soon as possible to ensure they are protected.
Apple is likely already working on a fix, but in the meantime, there's a temporary workaround -- enabling the root user with a password. Here's how:
- Open Spotlight and search for Directory Utility.
- Double click on the app result to open.
- Click on the lock at the bottom of the window to make changes and enter your username and password for an administrator account on your computer.
- In the menu bar at the top of the screen, choose "Edit."
- Select "Enable Root User."
From there, you can enter a password for the root user account, which prevents it from being accessed with a blank password, which is what the current bug allows to happen.
Disabling the root user account again follows the same steps, but at the "Edit" portion of the process, you'll select "Disable Root User" to remove the option. Until the bug is fixed, though, you'll want to leave the root user account intact to prevent it from being accessed without a password.
To further protect your Mac, you can also disable guest accounts, though this is not a necessary step with a root password enabled. Guest accounts can be disabled by going to System Preferences > Users & Groups and choosing "Guest User" after entering your admin password. Disable "Allow guests to log in to this computer."
Update: Apple has released a security update to fix this issue, and all macOS High Sierra users should apply the update as soon as possible to ensure they are protected.
82 comments
Back in March, Facebook announced that millions of Facebook passwords were stored on its servers in plain text with no encryption. At the time, Facebook also said that "tens of thousands" of...
Apple likely paid somewhere around $5 to $6 billion to settle its ongoing legal battle with Qualcomm, according to estimates shared today by UBS analyst Timothy Arcuri (via CNBC).
The...
All three 2019 iPhones will feature 12-megapixel single-lens front cameras, up from 7-megapixels on the iPhone XS, iPhone XS Max, and iPhone XR, according to the latest research note from well-known...
Apple has opened a new lab that will study how it can expand upon its current recycling processes through machine learning and robotics. The company announced the news today, along with other...
Samsung this week provided reviewers with Galaxy Fold devices for some hands-on time, and it appears the folding smartphone may be suffering from some serious flaws. Three of the reviewers who...
Apple is facing a class action lawsuit accusing the company of securities fraud for making false statements and failing to disclose adverse information regarding its business prospects. These actions...
Apple is developing a new app that combines Find My iPhone and Find My Friends into a single package, according to 9to5Mac's Guilherme Rambo. The report cites sources familiar with ongoing...
