Mac computers with High Sierra have a serious bug that can let anyone gain root access to the system without a password.
On Tuesday, security researchers disclosed a bug that allows anyone a blindingly easy method of breaking that operating system’s security protections. Anyone who hits a prompt in High Sierra asking for a username and password before logging into a machine with multiple users, they can simply type “root” as a username, leave the password field blank, click “unlock” twice, and immediately gain full access.
With those privileges, the account can be used to modify the rest of the Mac and look up passwords on the keychain access. Even after a reboot, the root account remains.
This is a serious flaw and you should act quickly to defend yourself. As Apple advised, for now, the best workaround is to enable the root account, and keep it enabled with the password of your choice. Here’s how:
Step 1: Go to System Preferences > then click Users & Groups (or Accounts).
Step 2: After you click the lock icon, enter your admin name and password. Click Login Options > then click Join (or Edit).
Step 3: Select Open Directory Utility > click the lock icon in the Directory Utility window > then enter your admin name and password again.
Step 4: When Directory Utility opens in a new window, go to the menu bar and select Edit > Enable Root User, then enter a password for the root user.