Apple is promising a software update to patch a major macOS High Sierra security issue that allows anyone full administrator access to a machine without a password.
Here’s Apple statement sent to the media:
We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the “Change the root password” section.
The issue was first reported earlier today by developer Lemi Ergin on Twitter. It allows anyone to login to an administrator’s account with the username “root” and no password.