MacOS High Sierra 'root' bug makes hacking it easy

Mac computers with High Sierra installed (MacOS 10.13.1 or higher) have a serious bug that can let anyone gain root access to the system without a password.

The hack is easy to pull off. It works when High Sierra displays the username and password login field after accessing "Users & Groups" through the Mac's System Preferences application, and the lock icon is clicked.

Anyone who types in "root" into the username, leaves the password field empty, and clicks unlock (once or twice) will pave the way for a new account that has system admin privileges to the computer.

With those privileges, the account can be used to modify the rest of the Mac and look up passwords on the keychain access. Even after a reboot, the root account will remain.

More From PCmag

There's also reports that the bug can be triggered at the Mac login screen, but not everyone was able to produce the same findings.

On Tuesday, a security researcher named Lemi Orhan Ergin tweeted about the problem, which prompted Apple to investigate.

It probably wasn't the best idea for someone to share this bug over Twitter. "This kind of public disclosure can put users at risk," said Keith Hoodlet, a security engineer with Bugcrowd, which does crowdsourced security testing.

He recommends users refrain from trying out the bug on their High Sierra-installed Macs. Doing so creates an account with super privileges, which can open it up to remote attack. To mitigate the risk, users who've decided to test the bug should create a password for the new root account, which can be done by following the temporary fix Apple has provided.

This article originally appeared on