Apple's macOS High Sierra has a simple security flaw that lets anyone log into your Mac

Apple's macOS High Sierra has a ridiculously simple security flaw that could be exploited. Photo / Supplied

Apple users have noticed a troubling flaw in the company's Mac operating system which lets people circumnavigate password protocols to gain access to the computer.

Raising alarming privacy concerns, it means anyone with physical access to your MacBook or iMac can create a phantom profile that won't show up on real admin accounts if the machine is running the new High Sierra operating system.

In the device's System Preferences, under Users & Groups, you can click on the lock and gain system administrator access by simply entering the username "root" and leaving the password blank. After hitting enter a few times it grants access. Once that is done, the trick can be used to log into the computer at any time.

The flaw appears to have been first reported by software developer Lemi Orhan Ergin who tweeted the fault to Apple's support team this morning.

Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?

— Lemi Orhan Ergin (@lemiorhan) November 28, 2017

You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs

— Lemi Orhan Ergin (@lemiorhan) November 28, 2017

The flaw has been confirmed by a number of users and reported by various tech publications.

As Forbes points out, while someone needs to have physical access to your computer, the flaw is problematic in certain scenarios. For instance thieves now have an easy way to get into an Apple computer they've stolen and third parties like law enforcement officials could easily login to a suspect's private computer.

Just tested the apple root login bug. You can log in as root even after the machi was rebooted pic.twitter.com/fTHZ7nkcUp

— Amit Serper 😷 (@0xAmit) November 28, 2017

The bug reportedly works for all aspects of the operating system that would normally require a password, meaning someone could also get access to your Apple Keychain which holds all your passwords.

If you want a quick way to protect against the flaw, it's probably wise to turn off any guest admin account so people can't enact the password workaround, or change the root password from your directory utility under Settings > Users & Groups > Login Options.

Apple has yet to comment on the flaw.