Club Benefits
You are now subscribed
Your newsletter sign-up was successful
Want to add more newsletters?
Daily (Mon-Sun)
Tom's Guide Daily
Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.
Weekly on Thursday
Tom's AI Guide
Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!
Weekly on Friday
Tom's iGuide
Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.
Weekly on Monday
Tom's Streaming Guide
Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.
Join the club
Get full access to premium articles, exclusive features and a growing list of member rewards.
UPDATED 9 p.m. EST Nov. 28 with comment from Apple, and 9:30 a.m. Nov. 29 with further details on how to break into a Mac.
A very simple task will let anyone gain permanent root access to Macs running macOS 10.13 High Sierra, earning easy access to all settings and data.
Then it gets dastardly. The above procedure creates a new user profile that presents itself as "Other" on the Mac's primary login screen. Type in "root" as the username, type in nothing for the password, and you will open an account with complete root access.
UPDATE: Other methods than the one outlined about activate the root account, as demonstrated in this YouTube clip that shows an attacker using Apple's Screen Sharing feature to remotely activate the root account on a Mac to which he's connected over a network. Nor must the root password be blank -- the attacker can in fact choose any password.
MORE: Best Mac Antivirus Software
We tested this procedure on both an old MacBook Pro and the latest MacBook Air, each running High Sierra. In both cases, we were able to run routine "periodic" diagnostic commands that would usually require temporary "sudo" privileges and an administrator's password -- but this time, with no "sudo" request or admin credentials at all.
On Twitter, Apple Support wrote to Egan: "Thanks for reaching out. Send us a DM, and we'll look further into this with you."
We reached out to Apple ourselves but did not hear back immediately. We will update this story if we receive a response.
This is a massive security issue, as it would permit anyone to easily seize control of your laptop if they had even brief physical access. Even worse, this secret is now completely out in the open. Generally, flaws like this are disclosed privately to the company so they can be fixed without anyone taking advantage.
One way to prevent this would be to enable root access on your own, using the kosher method recommended by Apple in that link, and give the root account a password. Then you can go to the terminal to an type "dsenableroot -d" (without quotes) to turn off root access.
Anyone who tries to get in this way won't have the right password. If you want to turn root access back on, type "dsenableroot" in the terminal.
UPDATE: In a statement to MacRumors, Apple said that it was "working on a software update to address this issue." It then pointed users of macOS 10.13 High Sierra to the same Apple support page we've indicated above and suggested adding a password to the root account.
Best Mac Antivirus Software
Kaspersky Internet Security for Mac's top-shelf malware detection and barely there system impact make it the best antivirus solution.
Avast Free Mac Security's malware-squashing proficiency, negligible performance impact and included password manager make it the best free option.
Bitdefender Antivirus for Mac offers top-shelf malware detection and protects files from ransomware.
