There’s a major bug on macOS, which can give anyone access to the root user account on an unlocked Mac. The root user account on a Mac is disabled by default, and comes with access to more areas in the system and files. First discovered by developer Lemi Ergin (via MacRumors), this bug is active in the latest macOS High Sierra 10.3.1, and also on macOS 10.13.2 beta.
Since the root user account is disabled by default, this bug makes it possible for anyone to access it without a password. If you wish to try out this process then you can do so by choosing User & Groups from System Preferences, and clicking on the lock icon. Simply type ‘root’ as the username and click on the password bar but leave it blank. After this, click unlock and you will be given access to make a new admin account.
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
Apple has taken note of this issue and responded in a quote to MacRumors, “We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”
Apple’s support page also has a step-by-step process on how to enable or disable the root user, and change the password. To enable the root user account, follow the same process as mentioned above. But after clicking the lock icon, enter an admin name and password and click ‘Login Options’ followed by ‘Join’. After this, click ‘Open Directory Utility’ and enter an admin name and password. You can then choose to enable the root user and set a password for it.
You can follow the same process to change the root user password from the ‘Directory Utility Window’. After logging in with an admin name and password you can choose to change the root user password.