Click to Skip Ad
Closing in...

How to fix the massive macOS root security bug

Published Nov 28th, 2017 4:01PM EST
Image: Mike Wehner/BGR

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

Earlier today, a Turkish security developer discovered that macOS High Sierra has the biggest possible security flaw: a root account, enabled by default with no password, that anyone with physical access to your machine can log into.

Once someone has root access, there’s basically no limitations to what they can do. Root is a “superuser” account with read and write privileges over the entire system, including other user accounts. That means that anyone with 30 seconds and physical access to your machine can install programs, read and write files and system files, and do basically anything else you can imagine.

That’s the bad news. The good news is that it’s simple to patch this hole right now, without waiting for a software update from Apple. All you need to do is set a password for your root account (even if you never plan on using it), and no one will be able to use it to login to your Mac.

Apple’s support page explains how to enable or disable a root account, and how to set a password:

  1. Choose Apple menu > System Preferences, then click Users & Groups (or Accounts).
  2. Click lock icon, then enter an administrator name and password.
  3. Click Login Options.
  4. Click Join (or Edit).
  5. Click Open Directory Utility.
  6. Click lock icon in the Directory Utility window, then enter an administrator name and password.
  7. From the menu bar in Directory Utility:
    • Choose Edit > Enable Root User, then enter the password that you want to use for the root user.

Once you’ve done that, the root account will be password protected, and your Mac should be safe.

Right now, it appears that the bug is limited to the most recent version of macOS High Sierra, but it’s never a bad idea to password-protect your root account, just to be on the safe side.

Chris Mills
Chris Mills News Editor

Chris Mills has been a news editor and writer for over 15 years, starting at Future Publishing, Gawker Media, and then BGR. He studied at McGill University in Quebec, Canada.