It appears that macOS High Sierra (v10.13.0 & 10.13.1) has a major security bug.
While I only just heard about this a few minutes ago, based on my testing so far, it appears that what’s happening specifically is that any attempt to authenticate as the “root” user will initially fail (as it should, as macOS by default, ships with the root account both disabled, and without any password set, for security reasons).
However, in High Sierra currently, when that first authentication attempt fails, for some reason, the root user is being enabled. Worse yet, it’s being enabled, while it is yet to have a root password set… so the net result ends up being that, any attempt to authenticate as the root user (via Login Window, admin settings padlock unlocking, or wherever), will fail the first try, and then from that point on, you can successfully authenticate as the root user by leaving the password field empty.
Username root, with no password, allows full admin/root access to the system… and since this is an issue with the operating system’s authentication process itself (rather than a bug in a particular application or service’s implementation of the authentication process), the security flaw can be exploited anywhere! The Finder, unlocking admin System Preferences, the command line, and even any enabled services that are accessible remotely (i.e. Screen Sharing, File Sharing, or SSH) are all vulnerable and potential attack vectors, making the potential implications, and seriousness of this flaw hard to overstate.
This is a big enough deal I’m sure that Apple will release an update very soon, but, in the meantime. You can mitigate your vulnerability by taking the actions below:
*(While this doesn’t actually fix the OS bug that inappropriately enables the root account, if you follow the steps below, you can safeguard your system from being exploited by it.)
1 – Open the “Directory Utility”
2 – From the “Edit” drop down menu “Enable Root User”
3 – Set the root user’s password to something (since you’ll likely never use it, make it something good and complex… even if you forgot, you could reset it with your existing admin user’s credentials later if needed).
4 – From the “Edit” drop down menu “Disable” the root user.
I’d still probably disable any remotely accessible services if there’s anything important running or stored on the system, but, at least doing this they it should prevent someone from using this exploit for the moment.