Everyone running the latest version of Apple's MacOS, the High Sierra build, are vulnerable to a newly discovered bug that allows someone to bypass the root password login prompt to give them full access to the system. Amazingly, it's not some clever hacking trick either -- you simply click on the "login" button several times until it lets you past.
The flaw was discovered by the head of Software Craftsmanship Turkey, software developer Lemi Orhan Ergin. Ergin has received a lot of criticism for his publication of the bug however, as he didn't contact Apple privately to give it time to fix the flaw, he merely put it out there in the public and it's made many millions of Apple users vulnerable.
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
If you want to test to see if your system is affected, open up the Root login through System Preferences>Users & Groups> and then simply hit the login button a few times. If you can login without putting in a password, you're affected.
While working on a fix, Apple issued a statement with a simple workaround for now. What you need to do is set a new root password, which involves logging or setting up the root account and adding a password to it.
It released full instructions on how to do that, here.
However, it didn't take long for Apple to put together an official bug patch for the problem. Known as Security Update 2017-001, it should be downloaded automatically. To confirm whether your system has been protected by it, read the Apple blog piece here.
