In a statement provided to MacRumors, Apple said the company's engineers began working on a fix as soon as the problem was discovered.
Apple says it will automatically push out the update to all users who have not installed it later in the day. The update can be downloaded on all machines running macOS 10.3.1 using the Software Update mechanism in the Mac App Store. Update 2: Apple released a security update to address the vulnerability on Wednesday morning. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section." To enable the Root User and set a password, please follow the instructions here. In the meantime, setting a root password prevents unauthorized access to your Mac. "We are working on a software update to address this issue. Update: An Apple spokesperson told MacRumors that a fix is in the works:
We have a full how to with a complete rundown on the steps available here. Until the issue is fixed, you can enable a root account with a password to prevent the bug from working. It's not clear how such a significant bug got past Apple, but it's likely this is something that the company will immediately address. It appears that this bug is present in the current version of macOS High Sierra, 10.13.1, and the macOS 10.13.2 beta that is in testing at the moment. This allows for admin-level access directly from the locked login screen, with the account able to see everything on the computer. At the login screen, click "Other," and then enter "root" again with no password.
Click unlock, and it should allow you full access to add a new administrator account.Īt the login screen, you can also use the root trick to gain access to a Mac after the feature has been enabled in System Preferences. Move the mouse to the Password field and click there, but leave it blankĦ. To replicate, follow these steps from any kind of Mac account, admin or guest:ĥ.
This works when attempting to access an administrator's account on an unlocked Mac, and it also provides access at the login screen of a locked Mac. The bug, discovered by developer Lemi Ergin, lets anyone log into an admin account using the username "root" with no password. There appears to be a serious bug in macOS High Sierra that enables the root superuser on a Mac with a blank password and no security check.