Apple has come under harsh criticism from security experts and users alike for a glaring security flaw in macOS High Sierra. The exploit is ludicrously simple, making it easy for anyone to hack a Mac without breaking a sweat.
The hole was first brought to light by a software engineer named Lemi Orhan Ergin who took to Twitter to put Apple on blast. Basically, a person with physical access to a macOS High Sierra-running Mac would just have to dive into System Preferences > Users & Groups and then click on the lock button to make changes.
They would then have to type “root” as their user name in the pop-up that appears and leave the password field blank. Several attempts to unlock later, they’ll be allowed to login and wreak havoc on the Mac.
As Apple explains it, the user account called “root” is a type of superuser with read and write privileges to greater areas of the computer. This includes files in other accounts, making this an especially dangerous exploit. They can even change the passwords for other users.
The root user is actually disabled by default, so the best thing to do would be to activate it with a password. That’s Apple’s official advice up until it releases a software update to address the problem. You can read its instructions to do so here. In short, open System Preferences > Users & Groups > Login Options > Join > Open Directory Utility > Edit > Enable Root User.
It’s also a good idea to disable guest accounts since it’s the easiest way for someone to gain access to a Mac and mess around with the root account in the first place. Head into System Preferences > Users & Groups, pick Guest User, and then uncheck “Allow guests to log in to this computer.”
This isn’t a necessary step if there’s a root password in place, but might give people some additional peace of mind till Apple issues a fix.