Apple issues a fix for Mac password security problem
Apple Inc. said an update was now available to fix a security issue in its latest Mac operating system that enables people to log in to Mac computers without knowing the password.
The Cupertino, Calif., tech giant said Wednesday that as of 8 a.m., the update was available for download and that later in the day it will be automatically installed on all systems running the latest version of MacOS High Sierra.
“Security is a top priority for every Apple product, and regrettably we stumbled with this release of MacOS,” the company said in a statement. “We are auditing our development processes to help prevent this from happening again.”
A software developer unaffiliated with Apple publicized the problem Tuesday, saying people could log in to Apple computers running MacOS High Sierra by entering the user name “root” and no password, then clicking the login button several times.
The “root” user account is generally used by computer administrators and gives “read and write privileges to more areas of the system, including files in other MacOS user accounts,” according to Apple.
The issue had been described online previously, including in the Apple Developer Forum earlier this month, but received more attention after Lemi Ergin, a Turkish software developer, tweeted about it Tuesday, asking Apple if it was aware of the “huge security issue.”
In a Medium post published Wednesday, Ergin said staffers at a company he works for discovered the issue while trying to help a co-worker recover access to his local administrator account. The staffers used the flaw to recover the account and informed Apple about the problem last week, he said.
“I have no intention to harm Apple and Apple users,” Ergin said in the post. “By posting the tweet, I just wanted to warn Apple and say ‘there is a serious security issue in High Sierra, be aware of it and fix it.’”
Apple said in its statement that its security engineers became aware of the issue Tuesday afternoon and that the company “immediately began working on an update that closes the security hole.”
Twitter: @smasunaga
