Earlier today, a Turkish security developer discovered that macOS High Sierra has the biggest possible security flaw: a root account, enabled by default with no password, that anyone with physical access to your machine can log into.

Once someone has root access, there’s basically no limitations to what they can do. Root is a “superuser” account with read and write privileges over the entire system, including other user accounts. That means that anyone with 30 seconds and physical access to your machine can install programs, read and write files and system files, and do basically anything else you can imagine.

That’s the bad news. The good news is that it’s simple to patch this hole right now, without waiting for a software update from Apple. All you need to do is set a password for your root account (even if you never plan on using it), and no one will be able to use it to login to your Mac.

Apple’s support page explains how to enable or disable a root account, and how to set a password:

  1. Choose Apple menu > System Preferences, then click Users & Groups (or Accounts).
  2. Click lock icon, then enter an administrator name and password.
  3. Click Login Options.
  4. Click Join (or Edit).
  5. Click Open Directory Utility.
  6. Click lock icon in the Directory Utility window, then enter an administrator name and password.
  7. From the menu bar in Directory Utility:
    • Choose Edit > Enable Root User, then enter the password that you want to use for the root user.

Once you’ve done that, the root account will be password protected, and your Mac should be safe.

Right now, it appears that the bug is limited to the most recent version of macOS High Sierra, but it’s never a bad idea to password-protect your root account, just to be on the safe side.

View Comments