Basically the bug allows you to enter an empty password for the super user account root (yes, an empty password!), which has full access to make any change in the entire operating system and any file in it. The root user is a built-in user included in any Linux or Unix-like operating system, commonly used to perform configuration and administration tasks.
The security vulnerability has been found by a developer, Lemi Ergin and reported to Apple Support team via twitter:
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
You can reproduce the issue following the next steps:
- Open System Preferences,
- Then click Users & Groups (or Accounts)
- Click the lock (đź”’) to make changes
- Change the user name to “root”
- Click into the password field (leave it empty)
- Click the “Unlock” button (sometimes requires more than one click)
How to fix it
Apple support have recommended, as a temporary fix, to assign a password to the root user as explained in the following link https://support.apple.com/en-us/HT204012
The next steps are based on macOS High Sierra version 10.13.1
- System Preferences > Users & Groups > Click the lock to make changes, enter an admin user account and hit the “Join” button
- In the next window click the “Open Directory Utility” button
- CLick the lock button, enter an admin user credentials again, then you’ll see the menu bar option “Enable Root User” available
- Enter the new Root user password.
Don’t disable the root account, that’s the condition that makes the bug to reappear.
Hopefully Apple will address this issue as soon as possible and offer a definitive solution, considering the high risk that this bug represents.
UPDATE 11/29/17 Apple has already published a Security Update for macOS to fix the issue https://support.apple.com/en-us/HT208315