Source: www.welivesecurity.com by Francisco Camurca & #8211; November 29, 2017
A security hole, discovered on Tuesday (28), allows anyone to log in to a MacOS running the latest version of High Sierra (10.13.1) and also in the latest beta available for testing (10.13.2 beta).
The vulnerability was reported by Turkish software developer Lemi Orhan Ergin, who posted the information on Twitter, calling the bug a "huge security issue": ERROR ALLOWS ADD ADMINISTRATORS, ALTER CRITICAL SETTINGS, LOCK THE CURRENT OWNER, AND SO ON.
A curious fact is that the bug was previously detailed as a solution to a user login problem in Apple Developer Support Forum. A developer named Chethan Kamath, with the username chethan177, wrote last November 13: “At startup, click on“ Other ”. Enter the username “root” and leave the password empty. Hit enter. (Try it twice). If you can log in, you will be the administrator. ”
The error, which apparently does not affect previous versions of MacOS, allows you to disable things like File Vault encryption and the firewall. In addition, anyone who has access to the computer can also add administrators, change critical settings, block the current owner, and so on.
While disabling the root password is critical and a priority in this case, you can also make your MacOS even more secure by disabling guest user accounts. Accounts can be disabled at: System Preferences > Users and Groups, option “Guest User" Then enter your administrator password and disable "Allow guest users to log in to this computer."