You can login as the root user on High Sierra with no password (blank password) from the main login screen or the systems preferences settings.  IT News reports that this flaw can also be exploited remotely and disabling the root account does not work.

Solution - set the root user password

The cure is to set the root user password but this is easier said than done.

Setting the root password is a little complicated. Apple's instructions are:

1. Choose Apple menu () > System Preferences, then click Users & Groups (or Accounts).
2. Click [lock icon], then enter an administrator name and password.
3. Click Login Options.
4. Click Join (or Edit).
5. Click Open Directory Utility.
6. Click [lock icon] in the Directory Utility window, then enter an administrator name and password.
7. From the menu bar in Directory Utility, choose Edit > Change Root Password…
8. Enter a root password when prompted.
 
see https://support.apple.com/en-us/HT20401

Takeaways

High Sierra MacOS has a serious flaw that root user access has a blank password.

This enables hackers to have access to all aspects of a Mac computer with High Sierra.

The flaw can be exploited remotely.

The cure is to set a secure root user password following Apple's instructions

Sources

More details area available from IT News, Lemi Orhan Ergin, Patrick Wardle and Mashable

https://www.itnews.com.au/news/macos-gives-users-full-admin-rights-without-password-478686?eid=3&edate=20171129&utm_source=20171129_PM&utm_medium=newsletter&utm_campaign=daily_newsletter

https://twitter.com/lemiorhan/status/935578694541770752

https://twitter.com/patrickwardle/status/935639234437935105

http://mashable.com/2017/11/28/apple-macos-high-sierra-bug-fix/#QSc81iZV2iq1

Menu