Apple just sh** the bed. Seriously. There’s a huge security vulnerability in macOS High Sierra although calling it a “vulnerability” is like saying an atomic bomb is similar to a firecracker. Lemi Orhan Ergin (founder of Software Craftsmanship Turkey) apparently discovered the flaw and publicly posted about it to Apple on Twitter. It’s not clear if he gave Apple a heads-up prior to his tweet.
What Is It?
So….basically….the bug lets you log in as a system administrator with full privileges, without needing a password. Woops. I don’t want to go through the steps here but there are a ton of articles if you want to check it out for yourself. Basically the problem is that the sysadmin account has no password set (but is disabled). However, through this vulnerability, this hidden admin account becomes active.
Holy security fail, Batman!
What Do I Do?
Apple will certainly fast-track a patch to fix this massive problem. In the meantime, there’s a workaround fix which is basically to make sure the system administrator account has a password of your own choosing (aka make it a good one but anything is better than a blank password).
First step is go into your Users & Groups section in the System Preferences.
There you click on Login Options, and then the Join button.
That will bring up the Directory Utility. From there click on the “Edit” menu option on the toolbar. All you have to do here is make sure the Root User is enabled and then change the password (you can’t change the password unless the Root User is enabled)