Security researchers have discovered that any Apple machine can be quickly broken into with a few simple key presses. The newly discovered flaw in macOS High Sierra allows the root superuser on a Mac with a blank password and no security check, basically giving anyone full access to your computer.
This bug can be exploited only if the macOS owner forgot his Mac unlocked and then left his desk. With a few clicks, an attacker can create a root account that he could use at a next time to access the affected computer. This account can also be used to log into the affected computer remotely.
According to the researchers:
Also unlocks system keychain… sounds like authentication is very broken somewhere or they really shipping without root password? LOL
The flaw affects macOS High Sierra 10.13.1 and 10.13.2 Beta. To prevent attackers from exploiting this flaw, users are recommended to create a “root” account themselves and assigning it a custom password. This prevents the flaw from creating another root account.
Actually, Apple won’t expect everyone to go through that long, anyway the company will almost certainly roll out a fix ASAP. As such, it will be very important to keep a look out for that update and install it as soon as it becomes available.