The latest version of macOS High Sierra allows any local user with physical access to take over any Mac by logging in as root and no password.
Numerous reports of the “stupid security mistake” surfaced late yesterday that confirmed the major flaw, to include Steven J. Vaughan-Nichols from the Zero Day blog who said: “This is an all-time security failure. I cannot think of anything to match it.”
Developer Lemi Orhan Ergin from Turkey found a variation of the security flaw and published findings on Twitter: “You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use “root” with no password. And try it for several times. Result is unbelievable!”
Apple released a statement that they are working on a fix for the problem.
In mean time, the company advises to set the root password. Users can do this with the following command: sudo passwd -u root. Apple also provided guidance on how to enable root and how to change your root password here.
Several security and computing experts to include Edward Snowden warned about the flaw on Tuesday. More fallout to come. In mean time, reset those passwords.