Reuters/Stephen Lam Apple CEO Tim Cook.
Vilaca discovered when a Mac goes to sleep and wakes back up again, the programme that gets the computer system started can be tampered with.
Normally this code is mostly read-only, but as the Mac wakes up there is a hole in its security, and the code can be changed remotely.
Macs released before mid-2014 are vulnerable to this attack.
At this point an attacker can install a rootkit, which is a kind of malware that is difficult to detect or remove, and that can even survive hard drive reformatting and reinstallation of the operating system, Ars Technica reported.
Hackers don't need physical access to the computer to do this.
Vilaca tested the attack on a MacBook Pro Retina, a MacBook Pro 8.2 and a MacBook Air. Later machines, however, were not vulnerable, and the researcher suspects that this means the bug has been fixed in newer models - either purposely by Apple, or by accident.
The only real defence is for Mac users to change their default settings so that the computer doesn't enter sleep mode when not in use, Vilaca said. He added that this attack is unlikely to happen on a mass scale, and is more likely to be used to target individual users.