Anyone can login as “root” with empty password on MacOS High Sierra
On startup, click on "Other"
Enter username: root and leave the password empty. Press enter. (Try twice)
If you're able to log in (hurray, you're the admin now), then head over to System Preferences>Users & Groups and create a new Admin account.
Now restart and login to the new Admin Account (you may need a new Apple Id). Once you're logged into this new Admin Id, you can again proceed to your System Preferences>Users & Groups. Open the Lock Icon with your new Admin ID/Password. Assign "Allow user to administer this computer" to your original Apple ID. Restart.
Now login with your original Apple Id. (In case you wish to remove the "Other" login option on startup read this: https://support.apple.com/en-in/HT204012
If you're unable to login at startup using username: root and empty password, then login with your existing account (standard user).
Again, head over to System Preferences>Users & Groups. Click on the Lock Icon. When prompted for username and password, type username: root and leave the password empty. Press enter. This might throw an error, but try again immediately with the same username: root and empty password. This should unlock the Lock Icon. If it does, try Solution 1 next.
P.S. Solution 2 worked for me. No idea how or why. Hope this helps.
Anyone trying this out needs to be careful because you are enabling the root account without a password. You should change the root password to protect against this vulnerability until Apple resolves it. Disabling the root account will make your computer vulnerable again even if you set a password.
Original Source: https://forums.developer.apple.com/thread/79235 and https://www.reddit.com/r/apple/comments/7g6y06/anyone_can_login_as_root_with_empty_password_on/