How to avoid macOS High Sierra Admin Access No Password Bug
JT | 29 November, 2017 4:04 am
Reported around noon time on the 28th of November 2017, Developer Lemi Ergin discovered a bug. The bug may allow any user intermittently, to log into an admin account utilizing the username “root” with no password. Our security team here at HostMyApple have tried to replicate this bug remotely on a macOS High Sierra cloud server with no success of remotely accessing a HostMyApple server without first authenticating VNC, SSH or through macOS login.
HostMyApple STRONGLY SUGGESTS that you do NOT REPLICATE the following steps below for any reason at all. This step by step breakdown is provided, to ONLY be used for educational and personal security.
How to Replicate The Bug
- Open System Preferences
- Select Users & Groups
- Click the lock to make changes
- Type “root” in the username field
- Move the mouse to the password field and click there; leave this field blank.
- Click unlock, and it should allow you full access to add a new administrator accounts.
Notice: Until Apple provides an official fix, you can enable a root user account with a password to help prevent the bug. The bug is intermittently present in the current version of macOS High Sierra, 10.13.1 and the macOS 10.13.2 beta.
How to Temporarily Fix Root Bug
- Open System Preferences.
- Select Users & Groups.
- Click on the lock to make changes.
- Enter your administrator username and password.
- Click on “Login Options”.
- Select “Join….” at the bottom of the window.
- Select “Open Directory Utility”.
- Click on the lock to make changes and enter your username and password.
- Navigate your mouse to the top of the menu bar and select “Edit”.
- Select “Enable Root User”.
- Create a password for the “Root User Account”. This will help prevent any malicious login attempts without a password.
Notice: If you decide to disable the root user account, simply follow the same steps above. Until further notice, it may be beneficial to leave this “Root” User Account active, until Apple provides an official fix.
All new HostMyApple cloud servers already have the root account secured. It is not necessary to take any additional steps at this time
Be sure to stop by www.hostmyapple.com/macvps.html to learn about our cloud hosted macOS Servers.