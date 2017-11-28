This is a zero day exploit. Lemi Orhan Ergin tweeted to Apple's support account that he had discovered a way to log into a Mac running High Sierra by using the superuser "root" and then clicking the login button repeatedly.

Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple? — Lemi Orhan Ergin (@lemiorhan) November 28, 2017

Ergin should absolutely have disclosed this to Apple and given the company a chance to patch it before it went public, but that's a bandaid on an axe wound at this point. The bug should never have gotten into the wild.

The "root" account is supposed to be disabled by default on macOS but, for whatever reason, it's not on High Sierra. Instead, root access is available and, worse, available without a password. So, anybody who has physical access to your Mac and enters "root" can blast their way through pretty much any and all security and gain complete control over the machine.

It looks setting the "root" password "fixes" the problem:

Click on Apple () at the far left of the menubar. Click on System Preferences. Click on Users and Groups. Click on the Lock (🔒) icon. Enter your Password. Click on **Login Options*. Click on Join or Edit. Click on Open Directory Utility. Click on the Lock (🔒) icon. Enter your Password. Click on Edit in the menubar. Click on **Enable Root User*. Enter and confirm your Root User Password. (Make it a strong, unique one!)

Do not disable the Root User. That just blanks the password and allows the exploit to work again.

FWIW, we, @danielpunkass, and @dmoren all confirmed that if you disable the root account, the flaw resets the password to blank again. — Dan Frakes (@DanFrakes) November 28, 2017

Apple needs to fix this stat. In the meantime, share this information with everyone you know who uses a Mac on High Sierra and make sure they test and validate that "root" access is blocked before you let them resume their day.