macOS High Sierra’s App Store System Preferences Can Be Unlocked With Any Password
A bug report submitted on Open Radar this week reveals a security vulnerability in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password.
MacRumors is able to reproduce the issue on macOS High Sierra version 10.13.2, the latest public release of the operating system, on an administrator-level account by following these steps:
• Click on System Preferences.
• Click on App Store.
• Click on the padlock icon to lock it if necessary.
• Click on the padlock icon again.
• Enter your username and any password.
• Click Unlock.
As mentioned in the radar, System Preferences does not accept an incorrect password with a non-administrator account. We also weren’t able to unlock any other System Preferences menus with an incorrect password.
We’re unable to reproduce the issue on the third or fourth betas of macOS High Sierra 10.13.3, suggesting Apple has fixed the security vulnerability in the upcoming release. However, the update currently remains in testing.
MacRumors is also unable to reproduce the issue on macOS Sierra version 10.12.6, suggesting the issue affects macOS High Sierra only.
The security vulnerability means that anyone with administrator-level access to your Mac could unlock the App Store preferences and enable or disable settings to automatically install macOS updates, app updates, system data files, and, ironically, even security updates that would fix a bug like this one.
This is the second password-related bug to affect macOS High Sierra in as many months, following a major security vulnerability that enabled access to the root superuser account with a blank password on macOS High Sierra version 10.13.1 that Apple fixed with a supplemental security update.
Following the root password vulnerability, Apple apologized in a statement and added that it was “auditing its development processes to help prevent this from happening again,” so this doesn’t look great.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.
Apple will likely want to fix this latest security vulnerability as quickly as possible, so it’s possible we’ll see a similar supplemental update released, or perhaps it will fast track the release of macOS High Sierra version 10.13.3. Apple did not immediately respond to our request for comment on this matter.
In the meantime, we can’t think of an obvious workaround for this issue, so if you keep your App Store preferences behind lock, you’ll want to keep a close eye on your Mac until further notice. If we learn of a solution, we’ll share it.
Update: It’s worth noting that the App Store preferences are unlocked by default on administrator accounts. While the seriousness of unauthorized access to the App Store menu is debatable, the underlying bug allowing a password prompt to be bypassed with any password is obviously unacceptable.
Related Roundup: macOS High SierraTag: Mac App Store
Discuss this article in our forums