BGR staff tested the bug on several devices running the most recent version of MacOS High Sierra, and were able to log in as the root user easily, with access to all other user accounts.
The vulnerability does not always work on the first attempt, but simply continuing to click the "Unlock" button with "root" entered as the username and no password provided will eventually unlock the machine.
In the login field, type "root" as the username.
These steps will create a root account on the computer with no password.
The bug affects macOS High Sierra 10.13.1 and 10.13.2 Beta. As it turns out, it's remarkably easy for someone to gain admin access to the device; you don't even need a password.
Apple wasn't immediately available to comment on the bug, whether it's working on a fix, or how to protect any computers running High Sierra right now. It's likely that you'd have to be running a certain version of High Sierra to get the same results.
So far as we can tell, you need access to a now logged in account in order to trigger it.
Ben Johnson, the chief technology officer of Obsidian Security and a former U.S. National Security Agency computer scientist, described the flaw to IBT as "a hacker's dream".
According to reports (meaning we haven't tested this), this isn't an issue on older versions of the OS. Click "Login Options", then click "Join", which appears next to the text "Network Account Server". Go to Apple's support page here for more information about how that works. Then from the menu bar at the top of the screen, click on the "Edit" menu and choose "Enable Root User".