How to fix the MacOS High Sierra password bug

A bug was discovered in MacOS High Sierra on Tuesday that allows anyone to log in to your computer using the username "root" with no password.

Originally brought to light on Twitter by developer Lemi Orhan Ergin, the bug appeared when you opened System Preferences and go to Users & Groups. To make changes in this menu normally requires a password -- you have to click the padlock icon in the lower left corner, which prompts you to enter a username and password. Thanks to the bug, however, one could simply enter "root" as the username and leave the password field blank. 

It may not work the first time, but trying it additional times will unlock the padlock, giving anyone access to your computer. In our testing, it only took two attempts to unlock the padlock and gain access to an administrator account without a password. After using this root trick in System Preferences, we were then able to log into a locked Mac by choosing Other in the login screen and then entering "root" and no password.

Watch this: Apple's huge password bug in Macs can be fixed

01:05

On Wednesday, Apple released a security update to patch this vulnerability. Open the Mac App Store and click the Updates tab to install Security Update 2017-001.

An Apple spokesperson gave this statement:

Security is a top priority for every Apple product, and regrettably we stumbled with this release of MacOS.

When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of MacOS High Sierra.

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.

Before this update was released, there was a quick fix for the vulnerability, thanks to iMore: set a password for the root user on your Mac. Should this ever arise again, here's how to do it.

• Click the Apple logo in the menu bar and select System Preferences (or search for it in Spotlight).
• Click Users & Groups.
• Click the padlock icon in the lower-left corner.
• Enter the password for your username.
• Click Login Options.
• Click Join or Edit next to Network Account Server.
• Click Open Directory Utility…
• Click the padlock icon in the lower-left corner and enter your password once more.
• In the menu bar, click Edit and select Enable Root User. If root user is already enabled, click Change Root Password…
• Enter a secure password and enter it a second time to verify.
• Click OK to finish.

Once you've set a root password, the exploit will no longer work, but we urge you to download the update in any case.

First published Nov. 28, 3:45 p.m PT.
Update, Nov. 29 10:23 a.m. PT: Adds a statement from Apple and details about the security update it released.