Some users have reported triggering the exploit from the login screen, but we could only consistently recreate the issue from System Preferences.
Tests of the flaw indicate that it could be used to alter a user's system settings that normally require a chosen username and password.
A newly-discovered flaw in macOS High Sierra - Apple's latest iteration of its operating system - allows anyone with local (and, apparently in some cases, remote) access to the machine to log in as the all-powerful "root" user without supplying a password. After plugging in "root" as our username and no password, it took two clicks to gain access to Users & Groups settings on a High Sierra system. All you need to do is set a password for your root account (even if you never plan on using it), and no one will be able to use it to login to your Mac. Select Open Directory Utility click the lock icon in the Directory Utility window then enter your admin name and password again. Naturally though, this is serious enough that Apple is likely working on getting a patch out as you're reading this.
It can't be stressed enough: This is a critical security flaw that all Apple laptop and desktop owners shouldn't ignore.
Apple is yet to comment, but I suspect a quick trip to the locksmith is in order.
This is a developing story. Use root without a password and just continually try until given root access.
"A password prompt that authenticates as root with an empty password would be a black eye for any OS".
At the login screen, click "Other". Users can prevent an attacker from exploiting a bug by creating a "root" account themselves and giving it a custom password.
Currently, there is no official fix from Apple regarding the issue.
Once in the "Join" menu, click on "Open Directory Utility".