Latest macOS Security Flaw Allows App Store Preferences Unlocking With Any Password


There is a security flaw in the most recent edition of macOS High Sierra, version 10.13.2, that allows users to unlock the App Store menu in System Preferences without knowing the password. The only caveat is that the exploit seems to only work on administrative-level accounts—attempts to reproduce the buggy behavior on standard accounts have not been successful. In addition, a fix is on the way.

For now, however, the steps to reproduce the bug on administrative-level account are pretty easy, as outlined by a bug report on Open Radar. They are as follows:
  1. Log in as a local admin
  2. Open the App Store
  3. Click on the padlock icon to lock it (if necessary)
  4. Click on the padlock icon again
  5. Enter your username and type in any password
  6. Click Unlock
That is all there is to it. The folks at MacRumors report they were able to successfully bypass the real password by following the above steps on an administrative account, but were not able to trick any other System Preferences login prompts with a bogus password. That includes more sensitive areas of the OS, such as Users & Groups and Security & Privacy, regardless of whether they tried with a standard account or administrative-level account.

Apple is aware of the vulnerability and has issued an apology.

"We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again," Apple said in a statement.

Apple has also introduced a fix in the latest beta of macOS (version 10.13.3), which should show up in an update sometime later this month. It is also worth noting that the bug is not present in macOS High Sierra 10.12.6 and earlier builds.

This is the not first embarrassing moment for Apple in regards to macOS High Sierra. A previous exploit allowed unauthorized users to gain full admin access to a Mac computer simply by using the username "root" and offering up no password. And prior to that, there was a bug that allowed programs not approved by Apple to glean passwords from the Mac keychain when users asked the software to remember a password for them.