If you’re on macOS High Sierra, you need to set a root password ASAP to dodge security flaw

If you thought Apple had unusual trouble stabilizing iOS 11 and ironing out the many annoying kinks that probably held back iPhone and iPad users from updating to the latest platform version, wait until you hear about a newly discovered macOS security issue.

This may well be the most embarrassing misstep made by Cupertino’s software engineers in a long time, and no one can understand how something so simple and dangerous escaped QA’s radar in the first place.

Basically, anyone with physical access to a computer running macOS High Sierra 10.13.1 can easily obtain so-called “superuser” rights, whether they’re the rightful owner of the device or not.

All they have to do is go into System Preferences, then Users & Groups, click on the little lock icon, and enter the user name “root” with no password required. As long as the actual Mac’s user never enabled the root option to gain “read and write privileges to more areas of the system, including files in other macOS user accounts”, any malicious individual can break in by leaving the password field empty and pressing enter a couple of times.

Ironically, Apple’s support webpages recommend you not routinely use the root user account, but in this particular case, you’re actually advised to set a strong (or weak) password for access to special Mac privileges. That way, it’ll be a lot harder for someone out to get you to disable FileVault encryption, turn off your Firewall or wreak all kinds of havoc, including locking you out of your own computer.

What’s even worse is that, if you don’t do the above, the security hole could also leave you open to a breach of security where standard Mac logins wouldn’t require a password either.

For what it’s worth, Apple is obviously preparing a comprehensive fix in addition to strongly recommending Root User activation and password selection as a temporary workaround.

Share This Post

Watch the Latest Pocketnow Videos

About The Author
Adrian Diaconescu
Adrian has had an insatiable passion for writing since he was in school and found himself writing philosophical essays about the meaning of life and the differences between light and dark beer. Later, he realized this was pretty much his only marketable skill, so he first created a personal blog (in Romanian) and then discovered his true calling, which is writing about all things tech (in English).