A new vulnerability affecting macOS High Sierra powered devices has been discovered and made public by developer Lemi Orhan Ergin, who contacted Apple Support asking them about it. The vulnerability that is limited to High Sierra allows anyone with physical access to a Mac to access and make changes to user’s personal files without having admin privileges to the system. This includes users accessing Guest account.
If you have a Mac that has Guest account disabled and you have changed the default root passwords for your Mac, then you are safe. However if you have a guest account running and have not changed the root password of your machine, then your computer is vulnerable. A guest account is also not required for this hack to work.
Update: Apple has fixed this issue with a software update.
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
Apple has been made aware of this major security flaw and as usual company has promised a fix will be released very soon. Until then you can keep your data safe by disabling the guest account on your account and changing your Mac’s root password, instructions to which are available below.
- On your Mac launch System Preferences.
- Click on Users & Groups and select Guest User.
- Uncheck ‘Allow Guests to log in to this computer’.
After you have disabled the Guest account you should change the root password of your machine, this step is more crucial.
- On your Mac launch System Preferences.
- Click on Users & Groups and select Login options.
- Click on ‘Join…’ button and then click on the ‘Open Directory Utility’ button.
- Click on the padlock button and enter your password to start making changes.
- Click on the ‘Directory Editor’ button.
- From the list find and click on Change Root Password.
If change root password is not clickable, that means you need to set a password for your computer. Click on Enable Root Users and choose a strong password.