macOS High Sierra grants anyone Root access without a password

A simple yet powerful security bug in macOS High Sierra can let anyone hack your Mac without a password. Here’s how this bug works and how you can fix it.

macOS High Sierra Root access bug explained

Turkish developer and security researcher, Lemi Orhan Ergin, discovered the “root access” bug in High Sierra yesterday.

Here’s how you can this bug to get root privileges without doing any “hacking” –

  • Go to System Preferences > Users & Groups and tap the padlock icon.
  • Use root as the login and leave the password field blank.
  • Once that’s done, simply press the Unlock button a few times and you will get root access! That’s how easy it really it is.

Here’s what Ergin wrote on Twitter.

This means anyone who has physical access to your Mac, can access the root filesystem.

For those who don’t know, unrestricted access the root filesystem can lead to data compromise. This makes this simple loophole very dangerous, especially for novice users.

Affected versions

Remember, this bug only affects macOS High Sierra version 10.13.1.

Older versions such as macOS Sierra 10.12.6 and below are totally immune to this security bug. Therefore, there’s no need to update if you are on any of these versions.

hacker

While the actual probability of someone using this bug to damage your Mac is quite low, it is recommended to close all bugs and install latest updates.

Here’s how you can fix this issue once and for all.

How can I close this loophole?

1. Update macOS

Thankfully, Apple took note of the situation and promptly released an update within a few hours. The latest security update is Security Update 2017-001 for High Sierra 10.13.1.

macbook pro

The best way to close this loophole right now is to install this update and you are done.

2. Manual method

Manual method involves changing the root password. Here’s how you can do that –

  • Go to System Preferences > Users & Groups.
  • Click the padlock icon and key in the admin login/password in the appropriate fields.
  • Press Login Options > Join > Open Directory Utility.
  • Click the padlock icon in the Directory Utility window and again enter the admin login/password.
  • Click Edit > Change Root Password.
  • Enter your root password.

Obviously, it’s better to stick to the first method that involves updating.

For more security news and updates, follow and like our Twitter and Facebook pages.

Leave a Reply