A Turkish security researcher revealed Tuesday that Apple’s High Sierra operating system is about as vulnerable to hacking as any operating system can possibly be. All it takes is the word
root and two clicks to gain log in.
Lemi Orhan Ergin tweeted to Apple Support what he and his team had discovered:
We noticed a HUGE security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?
What this means is that any malicious user who could get access to a computer’s login screen — either by physically being in the same room as the computer or by gaining a virtual toehold — could type in the word “root” as the username and, after just a few clicks, have access to the system in a way most ordinary Apple users never experience.
The hacker could then potentially install malware in places that would be undetectable to the regular user, or they could pilfer or tamper with files from anywhere on the computer.
Several cybersecurity reporters, including Inverse’s own Mike Brown, have confirmed the security flaw as legitimate.
The good news is that there is a fix, and anyone running macOS High Sierra is advised to do it immediately. The quickest fix is to create a new password for the root user. One way to do this is to open up a terminal and enter the command
$ sudo passwd root.
If that proves confusing or uncertain, Apple Support also this extensive guide to disabling the root user and changing the root password.
This isn’t the first major security flaw to rock the High Sierra operating system, as its launch day was marred by the discovery of another weakness that could expose users’ data. But this latest finding is particularly and worryingly fundamental.
For its part, Apple has promised a long-term patch while advising people to go ahead and set those root user passwords pronto.