A few hours ago a glaring hole in MacOS High Sierra was uncovered by software developer Lemi Orhan Ergin. Respected sources such as ComputerWorld and CNBC have called the MacOS security flaw "unforgivable" and a "huge password glitch", with CNBC quoting Edward Snowden describing the issue as "really bad". However the first target of criticism among the Twitterati was Ergin, for sharing the vulnerability in public, giving Apple no time to react.
The flaw
Ergin, a Turkish software developer and founder of Software Craftsmanship Turkey, told his followers that "Anyone can login as 'root' with empty password after clicking on login button several times." Little further explanation is required such is the simple and worrying nature of this 'hack'. While the first couple of times you attempt this blank password login you will fail, trying it several times will let you in, the "result is unbelievable," exclaimed Ergin.
So people could replicate this login bypass method Ergin went on to explain that you can access the root login dialogue via System Preferences>Users & Groups> and then click the lock to make changes. Almost immediately the root password bypass was confirmed by many MacOS users. Interestingly Twitter user Seth Goggans found a video clip of Apple's Craig Federighi "using the #rootgate exploit" during a recent MacOS demonstration.
Workaround for now
Apple is actively looking at a fix for the security flaw in its OS but meanwhile it has issued an advisory, or workaround. In a communication sent to ComputerWorld, Apple advised the following: "We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section."
In short, setting a genuine root user and making a password for it puts you back in control and plugs up this blank password flaw. You can follow though Apple's workaround instructions, published yesterday but which don't actually mention the flaw, here.
UPDATE:
Apple has quickly released a patch for the above security issue. You can read about and grab the Security Update 2017-001 directly from Apple.