Apple Inc. released an update to its latest operating system for Mac computers and said it’s changing development practices after a significant security flaw was disclosed Tuesday that allowed people to log in without a password, potentially making private user data vulnerable.
The issue, discovered in the macOS High Sierra operating system for laptops and desktops that was released in September, would let anyone enter the word “root” when prompted for a username, and provide no password when logging on to the device. That would permit unfettered access to the file system for a Mac, exposing private documents on that particular computer. One user reported the ability to also access the computer using the root login remotely.
The glitch is a rare and potentially embarrassing failure for Apple, whose software is generally known for being less prone to hacking and malware infections than Windows software from Microsoft Corp. The previous version of the operating system didn’t appear to be affected by the bug.
“A password prompt that authenticates as root with an empty password would be a black eye for any OS. Never mind one from a security and privacy-conscious company such as Apple,” Steve Troughton-Smith, a Mac software developer, wrote on Twitter.
Apple released a security update for the software on Wednesday. The fix is available for download in the App Store and later in the day will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
“Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS,” Apple said in a statement. “We greatly regret this error and we apologize to all Mac users.” Apple said it’s auditing its development processes to help prevent such a situation from happening again.
Tests of the flaw indicated that it could be used to alter a user’s system settings that normally require a chosen username and password. Some settings include changing key security preferences — like enabling or disabling a computer’s firewall or storage drive encryption.
The flaw was publicized Tuesday on Twitter by Lemi Orhan Ergin, a software engineer based in Turkey. Edward Snowden, a key voice in the information security community after being the center of many years of National Security Agency leaks, commented on the disclosure. “Imagine a locked door, but if you just keep trying the handle, it says ‘oh well’ and lets you in without a key,” he wrote on Twitter.