In a rare security flaw from Apple, a macOS High Sierra bug allows untrusted users to gain unfettered administrative control without any password.
How does this bug on macOS High Sierra work?
It is simple. All one has to do is enter the word “root” without the quotations in the user name field on the log in window. Once that is done, move the cursor to the password. Then hit the enter button leaving the password field empty. After this, you can log in to the Apple computer as an admin with root privileges. It takes a few tries for some people. Many users confirmed that they have been able to replicate this bug on different Macs. For those on previous models, worry not as this issue can not be found in previous macOS editions.
More information on the macOS High Sierra bug
This flaw can be exploited in numerous forms. It mainly depends on how the Mac has been set up. If full-disk encryption is switched off, then any individual can boot up the Mac and log in as an admin. This vulnerability does not work if the Mac is turned on but the screen is password protected.
Even if you have the filevault option on, this flaw can be made use of to edit System Preferences. From here the filevault option can be switched off. Another option is that the vulnerability can be used to log in as root after logging out of an existing account but not turning off the machine. Basically put, if you have firevault switched on and your Mac is completely shut down, you are most likely safe from this flaw.
Apple issued the following statement on the bug.
We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the “Change the root password” section.