- There’s a bug in the latest version of MacOS that lets anyone log in to change settings or access your data with the username “root” and no password.
- Apple told Business Insider it is working on a software fix for the issue.
- Before the fix is pushed, Apple recommends setting a “root password” on your Mac. It’s not a difficult process but it’s not simple — instructions are here.
People are upset with Apple over a nasty security flaw discovered on Tuesday in the latest version of MacOS, called High Sierra.
On an up-to-date Mac, users can gain access to change protected settings in certain circumstances by telling the system their username is “root” and providing a blank password.
Apple is looking into the bug and will push a software update that fixes it, a representative told Business Insider in an email:
“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”
Business Insider was able to replicate the bug on Tuesday. After plugging in “root” as our username and no password, it took two clicks to gain access to Users & Groups settings on a High Sierra system. The bug didn’t work on a Mac with older software.
Theoretically, a user with “root” access has complete access to your entire computer, its data, and its settings.
Lots of people are picking up on the problem, including NSA whistleblower Edward Snowden and other security experts.
Apple also created an online support page with directions to enable a “root user,” which the company says is the best fix until a more permanent software update is published.
This isn’t the first major Apple security bug that’s been discovered recently in MacOS. Earlier this year, Macs would apparently give out people’s passwords when they clicked for a password hint.