A serious security flaw was revealed on Apple's MacOS which allows anyone to login as 'root' using a blank password and clicking on the login button several times.
The flaw seems to only affect Apple computers running the MacOS High Sierra version.
Just tested the apple root login bug. You can log in as root even after the machi was rebooted pic.twitter.com/fTHZ7nkcUp— Amit Serper (@0xAmit) November 28, 2017
Demonstration of the Apple MacOS High Sierra security flaw by Amit Serpentine.
Once logged in as root, a user will admin rights to the Apple computer running MacOS High Sierra (macOS 10.13). Given this and what someone can do or install on your vulnerable computer, it is not a good idea to leave it unattended.
Although Apple have not released an update to fix this, there is a very simple solution to this embarrassing security flaw for computers running MacOS High Sierra, just setup a password for the root account. Once you've created a password for the root account, the security flaw will not be effective.
Apple have since published a guide which you can read below on how to create a password for your root account.
How to change your root password
Mac administrators can use the root user account to perform tasks that require access to more areas of the system.
The user account named ”root” is a superuser with read and write privileges to more areas of the system, including files in other macOS user accounts. The root user is disabled by default. If you can log in to your Mac with an administrator account, you can enable the root user, then log in as the root user to complete your task.
Change the root password
- Choose Apple menu () > System Preferences, then click Users & Groups (or Accounts).
- Click , then enter an administrator name and password.
- Click Login Options.
- Click Join (or Edit).
- Click Open Directory Utility.
- Click in the Directory Utility window, then enter an administrator name and password.
- From the menu bar in Directory Utility, choose Edit > Change Root Password…
- Enter a root password when prompted.