MacOS High Sierra lets you unlock App Store preferences with any password

Share

The new flaw, uncovered by Eric Holtam, an IT systems administrator, and posted to Open Radar, a bug-reporting website, is troubling nonetheless.

I personally tested this bug in macOS 10.13.1 and it would not work.

There is a security flaw in the most recent edition of macOSHigh Sierra, version 10.13.2, that allows users to unlock the App Store menu in System Preferences without knowing the password.

To check if you're affected by this bug, open system preferences on your Mac, click on App Store, then if the padlock on the window is unlocked, click on it to lock it.

Using the fault, they could disable automatic security updates to take advantage of system vulnerabilities that are regularly patched in the future.

Experts say it is limited to the App Store and presents a relatively limited security risk.

Crossover gets hot-hatch thinking, more tech — Ford Edge ST
The vehicle also has available evasive-steering assist to help drivers steer around stopped or slowing vehicles. Edge models will come standard with FordPass Connect, a WiFi hotspot that can connect up to 10 devices.

If the bug exists on your computer, you can put in any password and the padlock will unlock regardless.

Coming soon after a previous "root user" password flaw discovered in December, as well as the Meltdown and Spectre chip flaws, the timing is likely to shake consumer confidence, however. So you can not buy or download apps on that Mac if the user did not choose to save the password before.

The impact is small as it's only preferences for one application and, to get to it, you need to log into the operating system - and that password layer seems just fine.

'Our customers deserve better.

Apple has reportedly already fixed the bug in beta versions of the next macOS High Sierra update, which will be rolled out to the public in the coming weeks. "We are auditing our development processes to help prevent this from happening again", Apple said, reported MacRumors. Attackers could use that particular vulnerability to install malicious programmes, delete Apple IDs and anything else that they wanted to do.

Leaving the password text box blank or entering literally anything-including an incorrect password-will still allow the user to perform the changes to the account's App Store preferences.

Share