Horrifying macOS Bug Lets Anyone Become Admin With No Password

Posted November 29, 2017

From the account, you'll able to see everything on the Mac. Enter "root" as the username and leave the password field empty.

Right now, the best solution for anyone running MacOS High Sierra is to set a password for the root account, which will prevent anyone with access to your computer from being able to login and make changes. After plugging in "root" as our username and no password, it took two clicks to gain access to Users & Groups settings on a High Sierra system. The security flaw isn't too much of a big deal, though, as one would need physical access to your device in order to get unauthorized administrative access to your device.

A number of users have reported the issue is not active in other versions of MacOS.

Indeed, we tested this out on a Mac running 10.13.2 High Sierra - although it should work on the current 10.13.1 build - and it works quite easily.

CNET independently confirmed this security flaw exists and reached out to Apple about the issue.

Using the same trick, you can add new users (even as admins) to a device, remove other users, reset their passwords, decrypt disks encrypted by FileVault, or change nearly every other setting that requires admin access. Then from the menu bar at the top of the screen, click on the "Edit" menu and choose "Enable Root User".

According to reports (meaning we haven't tested this), this isn't an issue on older versions of the OS. The company didn't immediately respond to a request for comment.