UPDATE [November 29, 2017]: Apple has released a security update for macOS High Sierra users. Original article below.

A bug in the latest versions of macOS High Sierra allows users to create a root account with no password by repeatedly pressing a button in the preferences panel.

The only way an attacker could exploit this bug is if the macOS owner left his Mac unlocked and then left his desk.

This is all an attacker needs because with a few clicks he can create a root account that he could use at a later time to access the vulnerable device. The root account can also be used to log into the vulnerable machine remotely.

How the bug works!

Step 1: Open the macOS system preferences window
Step 2: Go to Users & Groups
Step 3: Click the lock icon in the bottom-left corner of the window
Step 4: Type "root" in the username field
Step 5: Place the cursor in the password field
Step 6: Press the Unlock button repeatedly until the user is created

These steps will create a root account on the computer with no password. An attacker could use this account at a later time to legitimately log into a victim's Mac.

The bug affects macOS High Sierra 10.13.1 and 10.13.2 Beta. Users can prevent an attacker from exploiting a bug by creating a "root" account themselves and giving it a custom password. This blocks the bug from creating another root account.

Turkish software developer Lemi Orhan Ergin discovered and tweeted about the bug earlier today. Many other macOS users independently confirmed the issue. Apple is aware of the bug and working on a patch.

Related Articles:

macOS Breaks Your OpSec by Caching Data From Encrypted Hard Drives

Cisco Removes Backdoor Account, Fourth in the Last Four Months

Apple Announces macOS 10.14 Mojave With Dark Mode, Dynamic Desktop, Stacks, More

Users Discover One of the Weirdest Android Glitches Ever

Apple Releases Security Updates for macOS, iOS, Safari, More