macOS App Store Preferences Open With Any Password
12 January, 2018, 18:04
Changing these settings can turn off automatic updates for macOS, including security and app updates. It is also worth noting that the bug is not present in macOS High Sierra 10.12.6 and earlier builds.
Assuming the attacker would be able to gain such access, they would still only be able to change the user's preferences in the App Store.
But it looks like Tim Cook's crew has got a little sloppy recently as yet another bug has been found in macOS High Sierra that allows anyone with local administrator access to unlock the App Store menu in the OS System Preferences by using A bogus password.
With I Am Root still fresh in the memories of users and the recent hoopla over Meltdown and Spectre not yet died-down, this comes at a particularly unwelcome time.
The login prompt simply accepts the incorrect password and unlocks, as long as you are still logged in as a local admin. Click the padlock to unlock settings, enter your admin username and any random password, and click Unlock.
Numerous settings within the App Store System Preferences window are also protected behind your Apple ID password and can't be changed using this method, but a nefarious user with physical access to your Mac could toggle the options that fall under the automatic update section. That bug allowed users to log into a system by typing "root" for a login, then hitting enter for a login attempt several times in a row.
The latest issue is reported to have been addressed in the latest beta version of macOS 10.13.3.
The issue has been fixed in the High Sierra 10.13.3 beta, but in the meantime you'll want to make sure that you don't leave yourself logged into an administrator account when the computer is unattended, and also, ensure that any users whom you don't trust are on a standard account rather than an admin account.
'Our customers deserve better. "We are auditing our development processes to help prevent this from happening again", Apple said in a statement.