MacOS High Sierra

Is MacOS the safest operating system? Well not today it isn’t!

A terrible security flaw has been found on Apple’s Mac operating system MacOS High Sierra, the latest OS for Mac computers, allowing anyone to log in to a locked computer without a password.

The problem was publicly outed on Twitter by Lemi Orhan Ergin, who posted his concern and included @Apple and @AppleSupport in his post.

“Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra,” he wrote. “Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?”

This gaping hole means that any random person without even the faintest knowledge of hacking can access a Mac using High Sierra without the correct username and password – just typing in ‘root’ as the user can grant full access and control over everything including resetting any other existing passwords on the computer and even stored passwords to websites.

If you want to keep your Mac, data and websites safe you need to act now, as they will inevitably become more of a target to steal and you could lose a lot more than just hardware.

How to fix the vulnerability

MacOs High Seirra Login root

STEP 1 – Login as ‘root’ user

  • Click on your apple icon in the top left-hand corner then select ‘Logout [user name]’
  • Now you will see the login screen (see pic) – Click on ‘Other User’
  • Were it says ‘User’ key in ‘root’, then press return a few times
  • It should now wrongly allow you access into the mac (If this doesn’t work you may be on a older version of the operating system)

STEP 2 – Editing ‘root’ user

  • Once you have logged in go to: Apple menu > System Preferences > User & Groups
  • You will see your user profile as ‘System Administrator’.
  • Click on this profile, then click ‘Password’

STEP 3 – Change ‘root’ password

  • In the dialogue box, leave ‘Old Password’ blank and then in ‘New Password’ give it a new strong password and verify it.
  • Now click, ‘Change Password’.
  • Logout of the ‘root’ user and then try to login back in with the password left blank. The system should NOT allow you in.
  • Now try your newly create password and login.

Note: Make sure you record this password somewhere secure.


Why is this security flaw, so BAD?

When you are logged in with the ‘root’ account, you are able to reset any users account on the computer and then log in as their profile – giving full access to all of your files, personal data, browser history and potential any of your saved passwords for websites etc.