macOS High Sierra bug lets App Store preferences be unlocked with any fake password

If a user is logged in as a local admin, they can enter literally any password to gain access to these settings.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • A bug in macOS version 10.13.2 allows a local admin to access App Store preferences by using any incorrect password.
  • Changing these settings can turn off automatic updates for macOS, including security and app updates.

A recently-discovered bug in macOS High Sierra allows any local admin access to the App Store preferences without the correct password. First noted in a security report on Open Radar, admins can punch in literally any password to gain access.

While this may seem trivial to some, this flaw could have future security implications for users. If an attacker is able to open App Store preferences, they are also able to disable automatic downloads of macOS security and app updates, leaving victims vulnerable in the future.

According to the report, there are two important things to consider. First, this flaw only seems to affect High Sierra version 10.13.2—the current available version at the time of this writing. Second, the ability to unlock these preferences with any password is only available to local admins, and standard user accounts aren't affected.

SEE: Information security incident reporting policy (Tech Pro Research)

In order to reproduce the bug, a user can start by logging in as an admin. Then, head to System Preferences and click on the App Store icon. Click the padlock to unlock settings, enter your admin username and any random password, and click Unlock. This should unlock the App Store preference for you.

This flaw only seems to affect the App Store preferences, according to MacRumors. Other preferences, such as Users and Groups, are not affected.

Thankfully, it seems that the bug has been patched in macOS 10.13.3, but that version is still in beta. As also reported by MacRumors, 10.13.3 has a planned release for later this month, and the bug doesn't seem present in 10.12.6 or earlier versions.

All in all, this isn't a huge security risk, but it is a concern in the sense that it wasn't caught by Apple sooner. However, it pales in comparison to the severity of the macOS High Sierra flaw that was discovered in late 2017, which allowed any user to log into an admin account by typing the username "root," and leaving the password field blank.

Regarding the root flaw, an Apple spokesperson said: "We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again."

Also see

Image: Matt Elliott/CNET

About Conner Forrest

Conner Forrest is a Senior Editor for TechRepublic. He covers enterprise technology and is interested in the convergence of tech and culture.

Editor's Picks

Free Newsletters, In your Inbox