How To Fix macOS High Sierra Root Superuser Bug That Allows Full Admin Access Without A Password

A huge macOS High Sierra security flaw has just been uncovered by developer Lemi Orhan which allows a root superuser on any Mac running the above mentioned OS version to gain full admin access without providing any password. This situation requires your utmost attention and below you can find a temporary fix to patch this vulnerability until Apple releases a permanent fix under the form of a software update.

To understand the extent of this security breach learn that anyone can log into an administrator account of an unlocked Mac with the help of the username “root” without typing a password. These credentials also provide access to the to the login screen of a locked Mac. This means that anyone that is aware of this vulnerability can get full access to your Mac!

How To Replicate The macOS High Sierra Root Superuser Bug

Important: The bug is present in both admin or guest Mac accounts as long as you proceed as follows:
1. Click on System Preferences.
2. Select Users & Groups.
3. Click on the lock, available in the bottom-left corner to open the changes screen.
4. Use “root” as username.
5. Click on the Password field, but don’t input anything.
6. Use the Unlock button, and full access to add a new administrator account is allowed!
Fact: This bug is present in both the macOS 10.13.1 version as well as in the macOS 10.13.2 firmware which is currently in beta testing!

How To Fix macOS High Sierra Root Superuser Bug

Until Apple will issue an urgent software update to fix this security glitch you can temporarily remove the bug by creating a root account with a predefined password. Here is how to do it:
1. Access System Preferences.
2. Select Users & Groups.
3. Click on the Lock, situated in the bottom-left corner of the window, to make changes.
4. Provide your administrator name and password.
5. Select Login Options, in the left sidebar.
6. Click on Join available next to ‘Network Account Server:’
7. Choose “Open Directory Utility.”
8. Click on the Lock to edit and provide your User Name and Password.
9. Click on ‘Edit’ available towards the top of the menu bar.
10. Go for ‘Enable Root User’ and provide a password for the root account and prevent the above mentioned bug from allowing access with a blank password!

Fact: Disabling the root user account again follows the same steps, but at the “Edit” portion of the process, you’ll select “Disable Root User” to remove the option. Until the bug is fixed, though, you’ll want to leave the root user account intact to prevent it from being accessed without a password.