The Guardian – November 30, 2017
IMPACT: discovered a couple of weeks ago and disclosed in an Apple developer support forum… allow[s] anyone to access locked settings on a Mac using the user name “root” and no password, and subsequently unlock the computer
IMPACT: embarrassing for the company and dangerous, allowing anyone with physical access – and in some instances remote access – to a Mac computer to gain full access to user data
ROOT CAUSE (non official): Some bug in authentication is ENABLING root with no password the first time it fails
COMPANY RESPONSE: Experts also warn against trying out the bug for yourself, as once enabled the flaw can then be more easily exploited even on a locked Mac.
COMPANY RESPONSE: We greatly regret this error and we apologise… We are auditing our development processes to help prevent this from happening again