If you thought Apple had unusual trouble stabilizing iOS 11 and ironing out the many annoying kinks that probably held back iPhone and iPad users from updating to the latest platform version, wait until you hear about a newly discovered macOS security issue.
This may well be the most embarrassing misstep made by Cupertino’s software engineers in a long time, and no one can understand how something so simple and dangerous escaped QA’s radar in the first place.
Basically, anyone with physical access to a computer running macOS High Sierra 10.13.1 can easily obtain so-called “superuser” rights, whether they’re the rightful owner of the device or not.
All they have to do is go into System Preferences, then Users & Groups, click on the little lock icon, and enter the user name “root” with no password required. As long as the actual Mac’s user never enabled the root option to gain “read and write privileges to more areas of the system, including files in other macOS user accounts”, any malicious individual can break in by leaving the password field empty and pressing enter a couple of times.
You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
Ironically, Apple’s support webpages recommend you not routinely use the root user account, but in this particular case, you’re actually advised to set a strong (or weak) password for access to special Mac privileges. That way, it’ll be a lot harder for someone out to get you to disable FileVault encryption, turn off your Firewall or wreak all kinds of havoc, including locking you out of your own computer.
What’s even worse is that, if you don’t do the above, the security hole could also leave you open to a breach of security where standard Mac logins wouldn’t require a password either.
For what it’s worth, Apple is obviously preparing a comprehensive fix in addition to strongly recommending Root User activation and password selection as a temporary workaround.