MacOS App Store Preferences Open With Any Password

MacOS App Store Preferences Open With Any Password

A local admin can enter their username and any password in the App Store section of System Preferences to unlock the menu.

The bug is nowhere near as unsafe as the root-access security flaw that was uncovered a year ago, whereby attackers could gain root access to MacOS computers by typing "root" in the username field and leaving the password field blank.

The bug appears limited to High Sierra (Sierra isn't affected), and has been verified by Macrumors as existing in 10.13.2, the latest version of the operating system.

Leaving the password text box blank or entering literally anything-including an incorrect password-will still allow the user to perform the changes to the account's App Store preferences.

I personally tested this bug in macOS 10.13.1 and it would not work.

More news: Woman found dead in abandoned Subway identified as GSU student

The bug allows a user logged in with admin rights (this is important to note) to get around the password requirement when making changes in the App Store settings panel. That includes options for automatically downloading and installing updates and, ironically, modifying how often the App Store should require a user to provide their password for purchases and downloads.

Although this vulnerability is not as serious as earlier password bugs plaguing High Sierra, it could potentially allow a malicious actor to disable automatic security updates on the device and exploit any bugs and vulnerabilities that would otherwise be regularly patched. That would leave those flaws exploitable on the machine.

The bug, we gather, is fixed in the latest macOS 10.13 beta releases, and will be addressed in the next official release, too.

IBTimes UK has reached out to Apple for further comment.