Well that’s awkward. Apple, which prides itself on its in-built gold standard security, last week announced that it was releasing a patch for a rather crucial vulnerability. It seems that for a while, all you needed to do to gain access to any Apple machine running the new High Sierra OS was to tap in ‘root’ as a username. Anyone could then gain root access to even a logged-out machine, put in a password of their choice and take control of the computer whenever they chose.
This is not the only glitch to have affected High Sierra. When it first appeared, it became clear that the contents of its keychain could be pilfered without even needing a password. In another embarrassing instance, users’ actual passwords popped up as password hints. Researchers might be more eager to inform Apple about these flaws if MacOS carried a bug bounty.
Apple has now issued a fix and an apology. Alternatively, users can stop the incursion by activating a password for the root user.