Science

MacOS High Sierra bug allows full admin access without a password

MacOS High Sierra bug allows full admin access without a password

Turkish developer Lemi Orhan Ergin has discovered MacOS High Sierra appears to ship without a root password, and logging in with the username root and no password will give you full admin access, to do whatever you want, including changing passwords for other accounts or just about anything else. The vulnerability affects all latest versions of the operating system, but it only seems to affect devices running macOS High Sierra and can't be reproduced on older versions of the OS. The security flaw isn't too much of a big deal, though, as one would need physical access to your device in order to get unauthorized administrative access to your device.

El Reg was able to replay the bug on our office Macs running High Sierra, which was released in September.

Security vulnerabilities don't get a lot worse than this, as it requires nearly no technical skills to pull it off. You can enable or disable the root account from System Preferences - User Groups on your Mac device. That said, this isn't good for macOS users and it looks bad for Apple. Then use "root" with no password. A spokesperson for Apple was not immediately available for comment. Click the lock to make changes and enter the administrator name and password. Apple is generally good about patching issues like this quickly but for now, machines will remain vulnerable until they can push any updates.

Some users are reporting that you can change your root password to fix the issue, but Apple has not issued official guidance yet.