14 DAY TRIAL // It would appear that there's a major security vulnerability in the wild affecting Apple's macOS High Sierra 10.13 operating system, which could put your personal data in danger.
The security flaw was discovered by developer Lemi Orhan Ergin, who publicly posted it on his Twitter account addressed to Apple Support. The issue can allow an attacker with physical access to a Mac running macOS High Sierra to bypass the lock screen and change any settings without needing your username or password.
This is possible only on Macs that have the Guest User account enabled, which is usually activated by default on macOS High Sierra, as well as on machines where the root (system administrator) account hasn't yet given a password. Affected systems include macOS 10.13.0, 10.13.1, and 10.13.2 beta.
So here's how it works. Simply go to any section in the System Preferences panel where the lock sign is available in the bottom left. Click it if it's locked, and replace your username with "root" (without quotes), put the mouse cursor on the password field, but without typing anything, click the "Unlock" button, and voilà!
Someone can also login as root into your locked Mac if you’re logged out using the same trick via the Guest account to change your settings and personal data. In addition, someone can unlock your Mac if they click on the Other icon in the login screen, type "root" as the username, and log in. The worst part is that they will log in as System Administrator, not guest user.
Here's how to protect your Mac right now
Until Apple fixes the security vulnerability, which the company usually does with the next point release of the operating system, in this case macOS High Sierra 10.13.2, you can protect your Mac right now by disabling the Guest User account and set a password for the root account following our instructions below.
To disable the Guest User account, simply open System Preferences, go to Users & Groups, click the lock at the bottom left to make changes, input your current password, select the “Guest User” entey in the left panel, and click on the "Allow guests to log in to this computer" option. See the screenshot below for more details.
Don't close the window. To set a root password you'll have to click on the "Login Options" in the left panel, then click the "Join" button next to the "Network Account Server" option, and in the small pop-up dialog click the "Open Directory Utility" button.
With the Directory Utility window open, go to the menubar and select the "Enable Root User" entry from the Edit menu. You'll be immediately prompted to create a new password for the root account, so make sure it's a very strong one. If the root account is already enabled on your machine, click the "Change Root Password" instead and change the root password.
You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs — Lemi Orhan Ergin (@lemiorhan) November 28, 2017Update: Apple confirmed the security vulnerability and issued a statement for iMore saying it's working on a fix as soon as possible, urging users to change the root password as discribed above.
“ We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the "Change the root password" section." ”
Update 2: Apple was quick to patch the security flaw today and released a patch that users can install via Mac App Store. More details here!