A huge security issue in macOS High Sierra has just been revealed on Twitter by Lemi Orhan Ergin:
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra.
Anyone can login as "root" with empty password after clicking on login button several times.
Are you aware of it @Apple?
I've been able to confirm this on my machine.
This issue occurs when you try to unlock a secure preferences item from the System Preferences app.
This is really bad, as it allows someone with a physical access to the machine to alter any system setting, like changing user passwords, adding admin users, or even decrypting FileVault volumes.
I hope Apple will react soon, providing an update, but in the meantime, here's a simple way to prevent this issue:
Open a new Finder window, and navigate to the
Here you will find an app named Directory Utility.app.
Open it, and unlock it by using the lock icon at the bottom-left of the window.
Then, from the application's Edit menu, choose Enable root user.
This will allow you to set a password for the macOS root user.
At this point, the security issue will no longer happen.