Software engineer Lemi Orhan Ergin has discovered a major vulnerability within macOS which provides system administrator access to general Mac users on a target machine, enabling access to the account without requiring a password.
The bug appears to let someone log into the admin account on a Mac by simply typing “root” as the username while leaving the password field blank.
You can see the security bug in action yourself. To replicate it, open System Preferences and go to the Users & Groups section. Click the lock to bring up the login box. Then type “root” in the username field, click the password filed but leave it blank. Now click unlock and it should open up full access to the administrator account.
Apple released the following statement about the security flaw:
“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac.”