macOS High Sierra bug allows full admin access without a password
But there's a relatively easy fix.
If you're using Apple's latest macOS High Sierra, you'll want to be wary of giving people access to your computer. Initially tweeted by developer Lemi Orhan Ergin, there's a super-easy exploit that can give anyone gain admin (or root) rights to your Mac. Engadget has confirmed that you can gain root access in the login screen, the System Preferences Users & Groups tab and File Vault with this method. All you need to do is enter "root" into the username field, leave the password blank, and hit Enter a few times. Needless to say, this is some scary stuff.
Root access allows someone to access your machine as a "superuser" with read and write privileges to many ore system files, including those in other macOS accounts. Luckily, the fix is fairly easy. As developer Colourmeamused tweeted, you need to set a root password:
Everyone with a Mac needs to set a root password NOW.
As a user with admin access, type the following command from the Terminal.
sudo passwd -u root
Enter your password then a new password for the root user.
Anyone got a better fix?@SwiftOnSecurity @rotophonic @pwnallthethings— colourmeamused (@colourmeamused_) November 28, 2017
Engadget has confirmed that this will secure your macOS High Sierra machine, and keep people from gaining root access as above. We've reached out to Apple and will update this post when we hear back.
Update, 5:30 PM ET: Apple provided a statement to Buzzfeed, saying that a software update was forthcoming to address this issue. It also notes how to set a root password to protect your computer in the meantime.
Here's Apple's comment on that #macOS #HighSierra security hole pic.twitter.com/uutivJm12V
— John Paczkowski (@JohnPaczkowski) November 28, 2017
