The flaw, which affected the latest version of Mac OS, High Sierra, allowed anyone to access locked settings on a Mac—and to unlock the computer—by using the username “root” and a blank password.
It was apparently discovered several weeks ago and discussed in an Apple developer forum, but didn’t gain publicity until this week, when Lemi Orhan Ergin brought the issue to Twitter, saying:
Dear @AppleSupport, we noticed a HUGE security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?
You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use “root” with no password. And try it for several times. Result is unbelievable!
To their credit, Apple quickly responded with a temporary method of keeping Macs safe. In a statement, the company said:
We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorised access to your Mac. To enable the root user and set a password, please follow the instructions here: support.apple.com/en-us/HT204012. If a root user is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘change the root password’ section.
A fix emerged overnight, with Apple releasing a High Sierra update that patched the issue on Wendesday afternoon. This update was pushed to all affected computers.
Security experts have stated their concerns about the existence of such a bug, but many have also praised Apple for their response to the situation. For their part, Apple also recognised the seriousness of the flaw:
Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS. We greatly regret this error and we apologise to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.
It’s unclear of how quickly this flaw might have been fixed if it had not been publicised on social media.
For now, though, Mac users can rest easy.