ALERT: There’s A Massive Security Vulnerability In The New MacOS

ALERT: There’s A Massive Security Vulnerability In The New MacOS
Image: Apple

The current release of macOS High Sierra, version 10.13.1, has a bug that allows someone with physical access to your machine to bypass the log-in screen and access your data. The issue allows someone to authenticate as a “system administrator” with the ability to view files and change details in user accounts.

macOS’ underpinnings are the Darwin Unix distribution. And, like all Unix systems, there is a root user that has complete control over everything. This is a level of access that is well in excess of a normal admin account that is created when adding users on a Mac.

The bug was reported by Lemi Orhan Ergin who reached out to Apple over Twitter.

According to The Verge, one way to thwart this low likelihood but high impact vulnerability is to change the root account password on your Mac. This is done by

  1. Open System Preferences and launch Users & Groups
  2. Go to Login Options, click on Join and then Open Directory Utility
  3. Choose the Edit option and Enable the Root User if you haven’t already
  4. Choose Change Root Password

Although Apple does run a bug bounty program, offering rewards of up to US$200,000, it’s invitation only unlike the wide open programs run by Microsoft, Google and others.

This flaw is significant but the risk to most users is quite low. In order to exploit the issue, a bad guy would need physical access to your Mac. And, as most security experts would attest, physical access will eventually trump any logical security you may have in place.


  • I’d be a bit worried about enabling the root user. That could (I’ve not tested with high sierra) allow remote access too, especially if the password chosen to secure it is weak.

    You are strengthening local access security by reducing remote access security… Anyone who has access to the machine would be able to bypass security pretty easy without this “hack”, so strengthening local is maybe less desirable for the risk.

    I’d likely prefer to keep root login disabled, and just be vigilant of who is at the keyboard of my computer, until Apple patch it.

Log in to comment on this story!