If you follow our MacOS 10.13 High Sierra Pro Audio Compatibility Guide With Regular Updates article and as a Pro Tools user you haven't updated to macOS High Sierra then you can breathe a huge sigh of relief. However, if you have updated to macOS High Sierra 10.13 then you need to read this article and we recommend you follow the excellent advice for the Mac Rumors web site or the article from Maintain, the people behind the Cocktail macOS utility application.
A serious bug in macOS High Sierra lets anyone log into an admin account using the username "root" with no password. This works when attempting to access an administrator's account on an unlocked Mac, and it also provides access at the login screen of a locked Mac.
To replicate, follow these steps from any kind of Mac account, admin or guest:
1. Open System Preferences
2. Choose Users & Groups
3. Click the lock to make changes
4. Type "root" in the username field
5. Move the mouse to the Password field and click there, but leave it blank
6. Click unlock, and it should allow you full access to add a new administrator account.
At the login screen, you can also use the root trick to gain access to a Mac after the feature has been enabled in System Preferences. At the login screen, click "Other," and then enter "root" again with no password.
This allows for admin-level access directly from the locked login screen, with the account, able to see everything on the computer.
It appears that this bug is present in the current version of macOS High Sierra, 10.13.1, and the macOS 10.13.2 beta that is in testing at the moment. It's not clear how such a significant bug got past Apple, but it's likely this is something that the company will immediately address.
Until the issue is fixed, you can enable a root account with a password to prevent the bug from working. There is a full how-to with a complete rundown of the steps available on the Mac Rumors web site.
An Apple spokesperson told MacRumors that a fix is in the works:
"We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section."
Apple Release Security Update To Cover This Bug
Security Update 2017-001 is now available and addresses the following:
Available for: macOS High Sierra 10.13.1
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
When you install Security Update 2017-001 on your Mac, the build number of macOS will be 17B1002. Learn how to find the macOS version and build number on your Mac.
If you require the root user account on your Mac, see this information on how to enable the root user and change the root user's password.
Information will also be posted to the Apple Security Updates web site.