The attacker needs only to head to Users & Groups, click the lock at bottom-left, then try to log in as "root" with no password.
From the account, you'll able to see everything on the Mac.
This flaw is significant but the risk to most users is quite low.
The flaw requires physical access for most people, but could work remotely if the user has Remote Desktop enabled. Those running previous versions of MacOS including Sierra and Yosemite do not appear to be affected by the bug. If you want to protect yourself, physically keep your Mac on lockdown for now, until Apple releases a software update, which we expect will come out in the next 24-48 hours due to the severity of this bug.
IBT reached out to Apple for comment regarding the discovery of the security vulnerability but did not receive a response at the time of publication. They could reset or change passwords, delete or add users and Apple IDs linked to the machine, and dip into other accounts on the system - essentially, they would get unfettered access to all the data that lives on the computer. "Never mind one from a security and privacy-conscious company such as Apple", Steve Troughton-Smith, a Mac software developer, wrote on Twitter.
Choose Edit Change Root Password and enter a new, non-trivial password. You can do this from the user login screen.
Enlarge ImageA demonstration of the security flaw. CNET
You can patch this problem right now by creating a root account manually and giving it a secure password.
Go to System Preferences then click Users & Groups (or Accounts).
Currently, there is no official fix from Apple regarding the issue. Anyone can login as "root" with empty password after clicking on login button several times.
Click in the Directory Utility window, then enter an administrator name and password.
In the login field, type "root" as the username.