New macOS Security Bug Unlocks App Store With Any Password

New macOS Security Bug Unlocks App Store With Any Password

This means that if your account is an admin and you leave the computer unattended, anyone can change the App Store settings on the Mac without your knowledge.

The bug, first reported on community reported bug service OpenRadar, allows an already logged in user with administrative powers to make changes to account preferences in the App Store to be modified without requiring the user enter a password for verification purposes. Anyone with access can enable or disable settings related to automatically installing MacOS software, security and app updates.

Experts say it is limited to the App Store and presents a relatively limited security risk.

An Apple developer has uncovered another embarrassing vulnerability in macOS High Sierra, aka version 10.13, that lets someone bypass part of the operating system's password protections.

More news: Fire crews tackle blaze at recycling plant in Dublin

With I Am Root still fresh in the memories of users and the recent hoopla over Meltdown and Spectre not yet died-down, this comes at a particularly unwelcome time. Enter any username and password you want and press Unlock and the App Store system preferences will become unlocked. However it is still a security flaw at the end of the day, but the good news is that Apple claims to have fixed the issue in the latest beta of macOS 10.13.3 which has yet to be released to the public. If you're on macOS High Sierra 10.13.2, any password will unlock the preferences.

The bug is nowhere near as risky as the root-access security flaw that was uncovered previous year, whereby attackers could gain root access to MacOS computers by typing "root" in the username field and leaving the password field blank.

Apple's Mac OS Sierra is in the news again thanks to another security loophole that has come to the fore. Apple later fixed the issue with a security update.

It's not known when the fix that is included with macOS 10.13.3 beta will ship to all customers, but hopefully the update will reach users soon. "We are auditing our development processes to help prevent this from happening again".

Related Articles