Mac password flaw leaves Apple red-faced

Margi Murphy 11 January 2018 • 1:03pm

Apple MacBook Pro laptop Credit: Geoff Pugh

A password vulnerability affecting Apple's Mac operating system has been found by researchers, the third discovery of this kind in recent months.

It allows any user to change preferences in the AppStore without needing the original password in minutes, according to a bug report on Open Radar, a website used by Apple developers.

Anyone with access to a machine could turn off security updates, app updates or updates to macOS. The bug is enabled simply by pressing the unlock padlock when prompted within system preferences and then entering any made up password.

Macs running earlier operating systems than macOS 10.13 are understood to be affected. The bug only affects app store preferences, but is just the latest password error to slip through Apple's operating system.

The embarrassing flaw, which emerged on Wednesday evening has raised eyebrows among the security community, however experts were quick to point out that anyone with malicious intent would need access to the machine. But it is the latest in a series of bugs that have been highlighted in its macOS operating system.

Tim Cook, chief executive officer of Apple — Apple CEO Tim Cook

In September, a researcher discovered a way to download passwords using Apple's Keychain technology. Two months later, a separate researcher pointed out that anyone could access a Mac device by typing the username "root".

Within days Apple had quickly issued a fix, with a spokesman stating: "We greatly regret this error and we apologise to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better."

Apple, along with Google, Amazon and Microsoft, are currently working to secure their devices from the Meltdown and Spectre flaws which are present in their product's hardware. The bug is present in Intel, AMD and ARM microprocessors, which power billions of devices, including iPads, iPhones, smartphones, PCs and Macs. It could allow hackers to remotely access all the files stored on a device including encryption keys, passwords and web history.

On Tuesday, Intel boss Brian Krzanich said 90 per cent of devices affected by the Meltdown and Spectre flaws would be patched within two weeks.

License this content

Comments

The Telegraph values your comments but kindly requests all posts are on topic, constructive and respectful. Please review our commenting policy.

You need to be a subscriber to join the conversation. Find out more here.

Mac password flaw leaves Apple red-faced

More from Technology

Google sacks 28 employees over Israel protest

Good news for China-menaced Taiwan: Japan’s F-35B jump-jet aircraft carriers are coming

The US Navy has now proven it can stop ballistic missiles

Iran’s attack on Israel means drone swarm attacks are something we have to think about

America’s ‘God of War’ is now many decades old. The US Army can’t replace it

High-tech scanners that spot drugs and explosives could replace airport sniffer dogs