This bug allows you to login or unlock macOS High Sierra with full admin access with just an empty password.
Basically the bug allows you to enter an empty password for the super user account root (yes, an empty password!), which has full access to make any change in the entire operating system and any file in it. The root user is a built-in user included in any Linux or Unix-like operating system, commonly used to perform configuration and administration tasks.
The security vulnerability has been found by a developer, Lemi Ergin and reported to Apple Support team via twitter:
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
You can reproduce the issue following the next steps:
Apple support have recommended, as a temporary fix, to assign a password to the root user as explained in the following link https://support.apple.com/en-us/HT204012
The next steps are based on macOS High Sierra version 10.13.1
Don’t disable the root account, that’s the condition that makes the bug to reappear.
Hopefully Apple will address this issue as soon as possible and offer a definitive solution, considering the high risk that this bug represents.
UPDATE 11/29/17 Apple has already published a Security Update for macOS to fix the issue https://support.apple.com/en-us/HT208315