There’s a flaw in Apple’s newest computer operating system that allows someone to gain administrative capabilities without a password.
The flaw, discovered by developer Lemi Orhan Ergan and his colleagues, affects macOS High Sierra. To exploit the vulnerability, someone with access to the computer can type “root” and no password in the Users & Groups section of System Preferences.
This gives root access to the computer — meaning a person could operate the device as if they were an administrator and could download malicious software or otherwise compromise the computer.
“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac,” an Apple spokesperson said in a statement. You can follow the instructions here.
“If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section,” Apple said.
People across the web have been able to duplicate this bug.
The flaw requires physical access for most people, but could work remotely if the user has Remote Desktop enabled. It’s a good idea, as always, to keep your machine in your own possession.
Update Wednesday, Nov. 29: Apple has released an update to fix this issue. The update is available for download and will be automatically installed on systems running the affected version of macOS High Sierra.