A newly discovered bug in macOS High Sierra enables the root superuser on a Mac with a blank password and no security check, essentially giving anyone full access to your Mac.

Apple is likely already working on a fix, but in the meantime, there's a temporary workaround -- enabling the root user with a password. Here's how:

  1. Open Spotlight and search for Directory Utility. directory utility spotlight
  2. Double click on the app result to open.
  3. Click on the lock at the bottom of the window to make changes and enter your username and password for an administrator account on your computer. directory utility
  4. In the menu bar at the top of the screen, choose "Edit." macoshighsierrarootbugeditmenu
  5. Select "Enable Root User."

From there, you can enter a password for the root user account, which prevents it from being accessed with a blank password, which is what the current bug allows to happen.

macoshighsierrarootbugpassword
Disabling the root user account again follows the same steps, but at the "Edit" portion of the process, you'll select "Disable Root User" to remove the option. Until the bug is fixed, though, you'll want to leave the root user account intact to prevent it from being accessed without a password.

To further protect your Mac, you can also disable guest accounts, though this is not a necessary step with a root password enabled. Guest accounts can be disabled by going to System Preferences > Users & Groups and choosing "Guest User" after entering your admin password. Disable "Allow guests to log in to this computer."

Update: Apple has released a security update to fix this issue, and all macOS High Sierra users should apply the update as soon as possible to ensure they are protected.

Related Forum: macOS High Sierra

Top Rated Comments

poppy10 Avatar
83 months ago
This is such a fundamental and major security flaw, it's mind-blowing how it managed to get through Apple's QA

A critical vulnerability that allows root access to all macs with a single click. We'd be laughing at Microsoft if this had occurred with Windows
Score: 27 Votes (Like | Disagree)
rpmurray Avatar
83 months ago
Now the new backdoor that Apple added for the government has been blown.
Score: 12 Votes (Like | Disagree)
Sefstah Avatar
83 months ago
Or, you know, don't leave your laptop sitting around unlocked. As more or less 100% of your critical info is under your user account anyway, probably even in the easy to find Documents folder, it's almost useless to spend time (as a theif) monkeying with root accounts. Just yoink what you need directly. Creating a root password (as a theif) presumes future access to the Mac, in which case it's been lifted already, and there are ways to get at your info, anyway, if it's unencrypted, as most Macs are.

Pretty dumb flaw, yes, but you deserve what you get if you leave your unattended, unlocked laptop lying around where people can physically get at it in the first place.
Laptop? How about all the schools and Universities that use iMacs with admin accounts? This is a HUGE flaw and shouldn’t be downplayed.
Score: 9 Votes (Like | Disagree)
KvR Avatar
83 months ago
Much easier (if your comfortable with the terminal) fix:

sudo passwd root

Just set a password on your root account.
Score: 8 Votes (Like | Disagree)
miniyou64 Avatar
83 months ago
Unbelievable. This is not Steve’s Apple.
Score: 5 Votes (Like | Disagree)
Doctor Q Avatar
83 months ago
A faster way to launch Directory Utility is to type "directory utility" in Spotlight, then press return. (This assumes that you have "Applications" enabled in Spotlight's preferences.)

Make sure you choose a secure root password. Leaving root enabled with an easily guessed password defeats the purpose.
Score: 5 Votes (Like | Disagree)

Popular Stories

reset password request iphone

Warning: Apple Users Targeted in Phishing Attack Involving Rapid Password Reset Requests

Tuesday March 26, 2024 4:34 pm PDT by
Phishing attacks taking advantage of Apple's password reset feature have become increasingly common, according to a report from KrebsOnSecurity. Multiple Apple users have been targeted in an attack that bombards them with an endless stream of notifications or multi-factor authentication (MFA) messages in an attempt to cause panic so they'll respond favorably to social engineering. An...
maxresdefault

Apple to Launch New iPad Pro and iPad Air Models in May

Thursday March 28, 2024 11:07 am PDT by
Apple will introduce new iPad Pro and iPad Air models in early May, according to Bloomberg's Mark Gurman. Gurman previously suggested the new iPads would come out in March, and then April, but the timeline has been pushed back once again. Subscribe to the MacRumors YouTube channel for more videos. Apple is working on updates to both the iPad Pro and iPad Air models. The iPad Pro models will...
Generic iOS 18 Feature Purple

iOS 18: What to Expect From 'Biggest' Update in iPhone's History

Wednesday March 27, 2024 11:10 am PDT by
At least some Apple software engineers continue to believe that iOS 18 will be the "biggest" update in the iPhone's history, according to Bloomberg's Mark Gurman. Below, we recap rumored features and changes for the iPhone. "The iOS 18 update is expected to be the most ambitious overhaul of the iPhone's software in its history, according to people working on the upgrade," wrote Gurman, in a r...
maxresdefault

Apple Announces WWDC 2024 Event for June 10 to 14

Tuesday March 26, 2024 10:02 am PDT by
Apple today announced that its 35th annual Worldwide Developers Conference is set to take place from Monday, June 10 to Friday, June 14. As with WWDC events since 2020, WWDC 2024 will be an online event that is open to all developers at no cost. Subscribe to the MacRumors YouTube channel for more videos. WWDC 2024 will include online sessions and labs so that developers can learn about new...
apple maps 3d feature

Apple Maps May Gain Custom Routes With iOS 18

Tuesday March 26, 2024 3:10 pm PDT by
Apple may be planning to add support for "custom routes" in Apple Maps in iOS 18, according to code reviewed by MacRumors. Apple Maps does not currently offer a way to input self-selected routes, with Maps users limited to Apple's pre-selected options, but that may change in iOS 18. Apple has pushed an iOS 18 file to its maps backend labeled "CustomRouteCreation." While not much is revealed...
General iOS 17 Feature Orange Purple

Apple Releases Revised Versions of iOS 17.4.1 and iPadOS 17.4.1 With Updated Build Number

Wednesday March 27, 2024 5:59 am PDT by
Apple on late Tuesday released revised versions of iOS 17.4.1 and iPadOS 17.4.1 with an updated build number of 21E237, according to MacRumors contributor Aaron Perris. The updates previously had a build number of 21E236. The revised updates are available for all iPhone and iPad models that are compatible with iOS 17 and iPadOS 17, but they can only be installed via the Finder app on macOS...
applephilschiller

Apple's Phil Schiller Works 80 Hours a Week Overseeing App Store

Wednesday March 27, 2024 2:03 pm PDT by
With the App Store and app ecosystem undergoing major changes in the European Union, The Wall Street Journal today shared a profile on App Store chief Phil Schiller, who is responsible for the App Store. Though Schiller transitioned from marketing chief to "Apple Fellow" in 2020 to take a step back from Apple and spend more time on personal projects and friends, he is reportedly working...