There’s a vulnerability in the latest version of macOS High Sierra (10.13.1) that may let anyone with physical access to a Mac log in and gain system administrator (root) access. Or, if they already have an account, upgrade their access to the system administrator (root) level.
You can work around the issue by setting a root password as described in this support document from Apple. They’re working on fixing it.
The vulnerability works like this:
- At any login or a privilege escalation dialog a user types in the username root
- The user hits the login button or enter a few times in quick succession
- The system enables the root user account and assigns it no password.
This is incredibly bad for Apple to have a vulnerability this easy to exploit, and it’s ridiculous that it was also apparently publicly available on Apple’s developer forums weeks ago.