Dangerous (and embarrassing) bug in macOS High Sierra

Yesterday, a dangerous - and quite embarrassing - bug was uncovered in macOS High Sierra. It is possible to authenticate with the user "root" and no password in situations where the OS asks for an administrative account. Apparently, there is also a way to do so when you have access to the system using a guest account, which adds insult to injury, because this is a default feature of the OS that many people will have enabled (I don't, but that's mostly because I don't like the extra login option on the login screen - but when you think about it, it makes sense from a security standpoint as well).

This reminds me in an unpleasant way of the post by Marco Arment from january 2015, Apple has lost the functional high ground. This really should not happen and has me once again doubting Apple's priorities. It remains quite puzzling how the same company can create fantastic technical innovation as the iPhone X, but at the same time can make such terrible mistakes in QA.

You can set a password for the root user, which will plug this hole, so the fix is quite easy. For instructions, see the original post at MacRumors.

Add new comment