If you’re using a Mac device running on the latest macOS High Sierra operating system, here’s something that requires your immediate attention. Developer Lemi Ergin recently discovered a bug that lets anyone have admin access to your Mac device without even keying in the password.
Just key in “root” as a username, leave the password field blank, and you can access a locked Mac running on macOS High Sierra. With admin access, it means that anyone can access all your files, and even change your settings without the need of a password. This bug is present in the current version of macOS High Sierra – 10.13.1, and even on macOS 10.13.2 beta versions.
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
You can even test out the flaw for yourself. Simply open System Preference and click on Users & Groups. Click on the lock to make changes, type “root” as the username, click on the password field and leave it blank, click unlock and you should be able to have full access to add a new administrator account. At the lock screen, simply click on “Other”, then do the same – enter “root” as username, and leave the password field blank.
So, how do you prevent people from making use of the bug to access your Mac? Prevent guest access and set a password root account.
- Launch System Preference
- Select “Users & Groups”
- Select “Guest User”
- Uncheck “Allow guests to log in to this computer”
Set a password to root account:
- Launch System Preference and click “Users & Groups”
- Click on the lock to make changes
- Click on “Login Options”
- Pick “Join…” at the bottom
- Select “Open Directory Utility”
- Click on the lock to make changes and key un your login details
- At the top of the menu bar, choose “Edit”
- Select “Enable Root User”
- Set a password
Apple is already aware about the problem, and is working on a software update to address the issue. Meanwhile, don’t forget to follow the steps to protect your device.