There appears to be a serious bug in macOS High Sierra that enables the root superuser on a Mac with a blank password and no security check.
The bug, discovered by developer Lemi Ergin, lets anyone log into an admin account using the username “root” with no password. This works when attempting to access an administrator’s account on an unlocked Mac, and it also provides access at the login screen of a locked Mac.
Apple is likely already working on a fix, but in the meantime, there’s a temporary workaround — enabling the root user with a password. Here’s how:
1. Open System Preferences
2. Choose Users & Groups
3. Click the lock to make changes
4. Enter your administrator name and password.
5. Click on “Login Options.”
6. Choose “Join” at the bottom of the window.
7. Select “Open Directory Utility.”
8. Click on the lock to make changes and enter your username and password.
9. At the top of the menu bar, choose “Edit.”
10. Select “Enable Root User.”
10. Select “Enable Root User.”
Disabling the root user account again follows the same steps, but at the “Edit” portion of the process, you’ll select “Disable Root User” to remove the option. Until the bug is fixed, though, you’ll want to leave the root user account intact to prevent it from being accessed without a password.
To further protect your Mac, you can also disable guest accounts, though this is not a necessary step with a root password enabled. Guest accounts can be disabled by going to System Preferences > Users & Groups and choosing “Guest User” after entering your admin password. Disable “Allow guests to log in to this computer.”
It appears that this bug is present in the current version of macOS High Sierra, 10.13.1, and the macOS 10.13.2 beta that is in testing at the moment. It’s not clear how such a significant bug got past Apple, but it’s likely this is something that the company will immediately address.
Until the issue is fixed, you can enable a root account with a password to prevent the bug from working. We have a full how to with a complete rundown on the steps available here.
Update: An Apple spokesperson told MacRumors that a fix is in the works:
“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”