Update – Nov. 30: Apple Inc. was quick off the mark to provide a security update for the root vulnerability discovered earlier this week, but after updating, users started reporting that the update broke file sharing. Apple has subsequently reissued the security update to fix the issue. If you previously installed the security update, you will need to go back to the App Store app on your Mac and check for updates. The security update will be listed again as if you never installed it. Select it to install the update again and the file-sharing issue will be fixed.

Update – Nov. 29: Apple Inc. has responded promptly to the macOS High Sierra security flaw discovered Tuesday with the release of a security update. The security update is available in the Mac App Store for users running macOS High Sierra 10.13.1. The root vulnerability has not affected earlier versions of the operating system (macOS High Sierra 10.12.6 and earlier). If you are running a beta version of macOS 10.13.2, a fix is not available yet.

A security flaw has been discovered in Apple Inc.’s macOS High Sierra that allows anyone gain administrator access to a Mac.

For any users running the latest operating system, their Macs can be vulnerable to hackers and once these hackers gain access they can log back into a locked device at any time. The vulnerability was discovered by Lemi Orhan Ergin, the founder of Software Craftsmanship Turkey, who tweeted Apple Support Tuesday.

Although a hacker would initially need to have physical access to an unlocked computer, they would then be able to gain root-user access while in the “Users & Groups” section of “System Preferences,” by typing “root” into the “User Name” field, leaving the password field blank and clicking “unlock” several times. The hacker could then return at any time and log in as the admin.

Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?

— Lemi Orhan Ergin (@lemiorhan) November 28, 2017

This isn’t the first time that Apple’s latest operating system has been plagued by a password security vulnerability. In October, the company released a patch for a flaw discovered the previous month that allowed unsigned apps to capture plain-text passwords from the Mac keychain.

The latest security flaw gets worse for any vulnerable machine that also has screen sharing enabled. According to the tweets below, these machines are also reportedly vulnerable remotely.

I’ve verified that the High Sierra mac bug that creates passwordless root account works, that it can be used to acces VNC if screen sharing is turned on, and have pieces of a rudimentary exploit you could start phishing people with.

— John Bambenek (@bambenek) November 28, 2017

If certain sharing services enabled on target – this attack appears to work remote (the login attempt enables/creates the root account with blank pw) Oh Apple pic.twitter.com/lbhzWZLk4v

— patrick wardle (@patrickwardle) November 28, 2017

Steps to protect your computer

Apple is currently working to issue a fix for the security flaw, according to the company’s statement, but in the meantime, the company has provided instructions on how users can enable a root user and set a password so that their computer remains protected.

Enable or disable the root user

First up, you will need to follow the below instructions to enable or disable the root user:

Select the Apple menu > System Preferences > Users & Groups (or Accounts) > click the lock icon and enter an administrator name and password > Login Options > click Join (or Edit) > Open Directory Utility. In the Directory Utility window, click the lock icon and enter an administrator name and password. In the Directory Utility menu bar, either select Edit > Enable Root User > enter the password you want to use. Or select Edit > Disable Root User.  

Change the root password

However, Apple goes on to say that if a root user is already enabled, you will need to follow the instructions below, to ensure a blank password isn’t set.

To change the root password, select the Apple menu > System Preferences > Users & Groups (or Accounts) > click the lock icon and enter an administrator name and password > Login Options > click Join (or Edit) > Open Directory Utility. In the Directory Utility window, click the lock icon and enter an administrator name and password. In the Directory Utility menu bar, select Edit > Change Root Password > enter a root password.

Image: Apple