Hotfix for Apple's zero-day root authentication bypass

I saw the following Tweet on Hacker News:

Dear @AppleSupport, we noticed a HUGE security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?

Hotfix for Apple's zero-day root authentication bypass: set a new password for root.

sudo passwd

UPDATE 2017-11-29: Apple released the following statement:

We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.


UPDATE 2017-11-29: Apple released a security update for macOS High Sierra 10.13.1.


SHARE THIS ARTICLE