A serious bug in macOS High Sierra lets anyone log into an admin account using the username "root" with no password. This works when attempting to access an administrator's account on an unlocked Mac, and it also provides access at the login screen of a locked Mac.
“We are working on a software update to address this issue,” Apple said in a statement.
The bug was discovered by Turkish developer Lemi Ergin.
He found that by entering the username "root", leaving the password field blank, and hitting "enter" a few times, he would be granted unrestricted access to the target machine.
Mr Ergin faced criticism for apparently not following responsible disclosure guidelines typically observed by security professionals.
Those guidelines instruct security experts to notify companies of flaws in their products, giving them a reasonable amount of time to fix the flaw before going public.
Mr Ergin did not respond to those claims when asked on Twitter, and the BBC was unable to reach him on Tuesday.
While Apple works on its fix, it offered a workaround for users concerned about the bug.
“Setting a root password prevents unauthorized access to your Mac,” the company explained.
"To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012.
"If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”