macOS High Sierra ‘root’ security bug: Stop and do this NOW

Rene Ritchie’s explainer walks you through the steps you should definitely take to ensure that your Mac has a root password.



  • Caleb Hightower

    So, tried the terminal approach only to discover the root pw was already there. So I tried my admin pw and it was accepted and Terminal proceeded to prompt me to then reset the pw with a new one. This was not clear to me by just reading the article and following the command line instructions. I was not expecting the root pw to already be populated with my admin pw (I’m assuming the two should be different). I followed the second Directory Utility instructions to reset root pw and all went as expected.

    Just trying to help those who may find this confusing as I did.

  • Janak Parekh

    Or, even easier, install the security update released today 🙂

    https://support.apple.com/en-us/HT208315

    @Dave, worth updating this post or making a new one?

    • Caleb Hightower

      Thanks, just saw it in my App Store > Updates.

  • CapnVan

    I don’t mean to downplay the severity of the bug (I’m installing the update now), but I’ve always been a little confused by the hype these types of security issues get.

    If someone with technical know-how and evil motives has physical access to your machine, aren’t you already in trouble? Aren’t you already taking the same kind of steps you’d be taking if someone had your wallet?

    • FWIW, physical access was not required for this bug.

      • alaska99801

        Yes you do need physical access.

        • Sigh. No, it’s really not. Be more creative.

          • Sigivald

            Yes and no.

            “So, anybody who has physical access to your Mac or can get through via screen sharing, VNC, or remote desktop, and enters “root” and hits login repeatedly, can gain complete access to the machine.” is what Ritchie says.

            So it’s not just physical access, but it equally looks like not things like FTP or file sharing?

          • Yes; physical access or screen sharing, VNC or remote desktop. I’ve heard mixed stories about whether SSH was a problem and no longer have a way to test it. If it were true, that would be a big one too.

            Once the cracker is in, of course, they’re in as deeply as they want to be… including turning on services that aren’t already on.

            (I wasn’t comfortable sharing much about it so soon, but I think we can talk about this openly now.)

  • Sigivald

    I really want to know what the code that activated the root account was trying to do.

    Was it “activate an inactive account to see if it can authenticate”, but “forgot to exclude the default root account”?

    (And if so, who thought that was a great user story in the first place?)