There's a Massive Security Vulnerability in the New macOS

Apple chief Tim Cook

Apple chief Tim Cook Credit IDG

Using the same trick, you can add new users (even as admins) to a device, remove other users, reset their passwords, decrypt disks encrypted by FileVault, or change nearly every other setting that requires admin access.

The bug is quite similar to Apple's "root user" login feature as it might function if enabled by default and with a blank password. Root access to a system is the holy grail of control over a device; leaving the root account enabled and with no password is like setting the nuclear launch code as "1234".

Effectively, this issue renders any system running macOS High Sierra completely unsecured - as it doesn't just unlock the device, it gives Admin access. It's the highest level of access, and the account is normally disabled.

The vulnerability does not always work on the first attempt, but simply continuing to click the "Unlock" button with "root" entered as the username and no password provided will eventually unlock the machine.

Apple wasn't immediately available to comment on the bug, whether it's working on a fix, or how to protect any computers running High Sierra right now. Those running previous versions of MacOS including Sierra and Yosemite do not appear to be affected by the bug.

Currently, there is no official fix from Apple regarding the issue. You can check your version of macOS by clicking on the Apple logo in the upper lefthand corner of your screen and clicking "About this Mac". Then use "root" with no password. Changing the root password is the workaround for now.

Latest News