Turkish developer Lemi Orhan Ergin has discovered MacOS High Sierra appears to ship without a root password, and logging in with the username root and no password will give you full admin access, to do whatever you want, including changing passwords for other accounts or just about anything else.
The vulnerability allows any person to access the administrator's account on an already unlocked Mac.
Those of us at Pocket-lint who are running older version of MacOS High Sierra weren't able to replicate the bug. Then, instead of entering a password, you can type in "root" for the username and leave the password field empty. If the lock is unlocked, the machine is affected by the security flaw.
Indeed, we tested this out on a Mac running 10.13.2 High Sierra - although it should work on the current 10.13.1 build - and it works quite easily.
Security vulnerabilities don't get a lot worse than this, as it requires nearly no technical skills to pull it off.
Essentially, the bug allows someone to either login to your Mac or unlock System Preferences by using the user name "root" and a blank password.
The workaround right now according to the Twitterverse, is to set a root user password. The Apple Support Twitter account acknowledged Ergin's tweet highlighting the issue but did not provide any additional comment.
Let us know how it goes for you, and stay tuned for Apple's macOS update soon... You can check your version of macOS by clicking on the Apple logo in the upper lefthand corner of your screen and clicking "About this Mac".