A newly discovered macOS High Sierra flaw is potentially leaving your personal data at risk. Developer Lemi Orhan Ergin publicly contacted Apple Support to ask about the vulnerability he discovered. In the vulnerability he found, someone with physical access to a macOS machine can access and change personal files on the system without needing any admin credentials.
Users who haven’t disabled guest user account access or changed their root passwords (likely most) are currently open to this vulnerability. We’ve included instructions on how to protect yourself in the meantime until an official fix from Apple is released.
Here are the tweets referenced:
You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
The temporary fix involves setting a custom password for root. I hope Apple gets a patch out for this ASAP; this is a seriously bad bug. Check it out:
Welp. On macOS High Sierra anyone can get full access by logging in as root with an empty password. 💀 pic.twitter.com/4UK9GOPy9D
— Austin Evans (@austinnotduncan) November 28, 2017
Holy crap.