macOS High Sierra unlocks App Store Preferences with any password

Some might say that Apple is getting sloppy with its software updates. It hasn't even been two months since a severe security-related bug was discovered on macOS High Sierra, another one comes along. Fortunately, it's not as severe but still worrying. It turns out, you can get access to the App Store's preferences just by using any password. Fortunately, there is one caveat to this process and Apple already has a fix ready for later this month.

The process for triggering this bug involves the following steps:

1. Log into the local administrator account

2. Open App Store Preferences from System Preferences

3. Click the padlock icon to unlock it

4. Enter any password.

Once you're done, you're in and you can change some of the basic settings in there. The slightly good news is that there are circumstances that mitigate the severity of this still facepalm-worthy bug.

One, the options available in the App Store Preferences are not so critical and the important ones, like Users & Group and Security & Privacy are still locked under a password and doesn't seem to be affected by the bug. But more importantly, it only works if you're logged in as an administrator user. Regular users still can't get in using any (wrong) password.

In the grand scheme of things, however, it's a worrying trend. In November, an even worse macOS High Sierra bug allowed any user to gain superuser access by simply logging in as "root" and using a blank password. Then in December, an iOS update left HomeKit-enabled smart locks vulnerable to unauthorized remote control. Apple's previously pristine record when it comes to quality updates and security seems to be in trouble.

Apple already has a fix for this current bug in the latest beta for macOS 10.13.3, which should roll out to the public later this month. The bug doesn't seem to affect macOS 10.2.6 or older. In the meantime, users are advised not to remain logged into their administrator accounts, especially when stepping away from their Macs in public places.

VIA: MacRumors