MacOS High Sierra Bug Allows Root Access Without Password

Juli Clover, reporting for MacRumors:

There appears to be a serious bug in macOS High Sierra that enables the root superuser on a Mac with with a blank password and no security check.

The bug, discovered by developer Lemi Ergin, lets anyone log into an admin account using the username “root” with no password. This works when attempting to access an administrator’s account on an unlocked Mac, and it also provides access at the login screen of a locked Mac.

There’s no “appears to be” about this — this is a serious bug. Allowing root access without a password is just inexplicably bad. I rarely describe any bug as inexcusable, but this is inexcusable.

Until Apple issues a fix, there is a workaround: manually enable the root user account and give it a strong unique password.

Tuesday, 28 November 2017