Researchers have discovered a flaw affecting macOS High Sierra that allows the App Store preferences menu to be unlocked by an administrator with any password, correct or not.
MacRumors says it was able to replicate the bug, which was first reported on Open Radar, in the latest public version of the operating system: High Sierra version 10.13.2. On a positive note, the bug can only be reproduced when you're logged in as a local administrator, and does not affect standard, non-admin accounts.
Apple did not immediately respond to PCMag's request for comment about the flaw.
Reproducing the problem is pretty easy, according to MacRumors and the original bug report. A user would just need to log in as a local admin, click System Preferences, select App Store, click the padlock icon to lock it (if it's unlocked), click the padlock again to unlock it, enter any phony password, click Unlock, and voila. You're in.
With a bogus password, one would, of course, expect the login attempt to fail. But that's not the case. Instead, the "authorization succeeds and grants access to change the AppStore preferences," the Open Radar bug report reads.
Recommended by Our Editors
The bug does not affect the latest beta of macOS 10.13.3, or macOS Sierra version 10.12.6 and earlier, MacRumors notes.
News of the flaw comes after Apple in late November shored up a separate High Sierra bug that let anyone gain root access to the system without a password. "We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused," Apple said at the time. "Our customers deserve better. We are auditing our development processes to help prevent this from happening again."
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
