Apple MacOS release High Sierra has a serious security flaw. Anyone who hits a prompt in High Sierra asking for a username and password can login as “root” without password. This works in the login prompt if the machine has multiple users. It also works in a logged-in single user machine if  trying to access anything that requires privilege escalation (aka ‘root access’ or ‘unlocking’).

When prompted for a user name and password the prompt can be bypassed simply typing in “root” as a username, leaving the password field blank and clicking “unlock” twice. Several malware try this approach as a default method of gaining the administrative rights to a computer.

If you have updated to High Sierra, we recommend you to enable user ‘root’ and setting a complex password for it. This will be a workaround before Apple get around to fix the actual security flaw.

Apple has released an official patch: