UPDATE [November 29, 2017]: Apple has released a security update for macOS High Sierra users. Original article below.

A bug in the latest versions of macOS High Sierra allows users to create a root account with no password by repeatedly pressing a button in the preferences panel.

The only way an attacker could exploit this bug is if the macOS owner left his Mac unlocked and then left his desk.

This is all an attacker needs because with a few clicks he can create a root account that he could use at a later time to access the vulnerable device. The root account can also be used to log into the vulnerable machine remotely.

How the bug works!

Step 1: Open the macOS system preferences window
Step 2: Go to Users & Groups
Step 3: Click the lock icon in the bottom-left corner of the window
Step 4: Type "root" in the username field
Step 5: Place the cursor in the password field
Step 6: Press the Unlock button repeatedly until the user is created

These steps will create a root account on the computer with no password. An attacker could use this account at a later time to legitimately log into a victim's Mac.

The bug affects macOS High Sierra 10.13.1 and 10.13.2 Beta. Users can prevent an attacker from exploiting a bug by creating a "root" account themselves and giving it a custom password. This blocks the bug from creating another root account.

Turkish software developer Lemi Orhan Ergin discovered and tweeted about the bug earlier today. Many other macOS users independently confirmed the issue. Apple is aware of the bug and working on a patch.

Related Articles:

Google Bug Breaks Search Results with a Plus Sign On Mac Safari (Fixed)

Google+ Shutting Down After Bug Leaks Info of 500k Accounts

Missing Files, Bugs Reported After Windows 10 October 2018 Update

Mozilla Launches Firefox Monitor Data Breach Notification Service

macOS Mojave Privacy Bypass Flaw Allows Access to Protected Files