Just like in Windows, macOS has admin controls where certain changes made to the operating system, like installing or deleting apps, can only be done by someone who knows the admin password for the computer. However it seems that developer Lemi Ergin has recently discovered a bug (via MacRumors) that lets users bypass the password completely.
Basically when prompted to enter the admin password, all users have to do is type “root” into the user name section and leave the password blank, after which it will users to make changes to the computer that would otherwise be limited to those who admin access. Not only that, it seems that this bug will let users access a Mac computer that has been locked.
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
This appears to be affecting those running macOS High Sierra, and even the latest 10.13.2 beta has not addressed the issue, suggesting that Apple was still unaware of the problem, at least until now. The good news is that there is a fix for this, where you can enable a root account with a password to prevent this bypass. The details of which can be found on Apple’s website.
In a statement provided by Apple, “We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: If a Root User is already enabled, to ensure a black password is not set, please follow the instructions from the “Change the root password” section.”