Juli Clover, reporting for MacRumors:
There appears to be a serious bug in macOS High Sierra that
enables the root superuser on a Mac with with a blank password and
no security check.
The bug, discovered by developer Lemi Ergin, lets anyone log
into an admin account using the username “root” with no password.
This works when attempting to access an administrator’s account on
an unlocked Mac, and it also provides access at the login screen
of a locked Mac.
There’s no “appears to be” about this — this is a serious bug. Allowing root access without a password is just inexplicably bad. I rarely describe any bug as inexcusable, but this is inexcusable.
Until Apple issues a fix, there is a workaround: manually enable the root user account and give it a strong unique password.
★ Tuesday, 28 November 2017