There's a major security flaw in macOS that gives anyone admin access [Update]

Today, it was discovered that there"s a major security vulnerability in the latest version of macOS, High Sierra. As it turns out, it"s remarkably easy for someone to gain admin access to the device; you don"t even need a password.

You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs

— Lemi Orhan Ergin (@lemiorhan) November 28, 2017

Indeed, we tested this out on a Mac running 10.13.2 High Sierra - although it should work on the current 10.13.1 build - and it works quite easily. After signing in as a guest, it was possible to change security settings and install apps and software updates from the Mac App Store, just by typing the user name "root". It might take two or three tries to log in, although in some cases, we got it to work on the first try.

According to reports (meaning we haven"t tested this), this isn"t an issue on older versions of the OS. If you really want a fix right now, you can reinstall macOS 10.12 Sierra. Naturally though, this is serious enough that Apple is likely working on getting a patch out as you"re reading this.

Security vulnerabilities don"t get a lot worse than this, as it requires almost no technical skills to pull it off. You really shouldn"t leave your Mac unattended at all until Apple fixes this, and you should shut off guest access for your device.

Update: Apple has advised that they will develop a fix for the issue according to statement to 9to5Mac:

“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”

In the meantime, you can disable the guest account and then change the root password by following these directions to mitigate the vulnerability on macOS High Sierra.

  1. Launch System Preferences
  2. Select Users & Groups
  3. Select Guest User
  4. Uncheck Allow guests to log in to this computer

Change root password

  1. Launch System Preferences
  2. Select Users & Groups
  3. Select Login Options
  4. Select Join next to Network Account Server
  5. Select Open Directory Utility
  6. Click the lock and enter your password to make changes
  7. In the menu bar of Directory Utility, select Change Root Password
  8. Create a strong, unique password
Report a problem with article
Next Article

Google has found a fix for the Pixel and Pixel 2 random reboots

Previous Article

Apple sold six million units of the iPhone X over Black Friday weekend