A security vulnerability impacting macOS High Sierra allows admins to unlock the AppStore Preferences in System Preferences by providing any password.
The issue was found to affect macOS 10.13.2, the latest iteration of the platform, and can be reproduced only if the user is logged in as administrator. For non-admin accounts, the correct credentials are necessary to unlock the preferences pane.
macOS High Sierra 10.13.2 users interested in reproducing the bug should log into their machines as administrators, then navigate to the App Store preferences in System Preferences.
Next, users should click on the padlock icon to lock it if necessary, then click it again. When prompted to enter the login credentials, they can use any password and still unlock the Prefpane.
One thing that should be noted is that the App Store setting is opened up unlocked by default when the user is logged as admin and that no sensitive user information can be accessed by triggering the bug.
Eric Holtam notes the security oversight only impacts the App Store preferences and no other system preferences menu can be unlocked in a similar manner. The admin password is still required when attempting to change user and other system preferences.
The issue, however, is not as dangerous as it might look. For starters, the bug can only be triggered if the user is logged in as admin, which clearly minimizes the vulnerability’s impact, given that the admin can unlock the specific settings.
Users affected by the flaw would be those who, although logged as admins, would still keep the App Store preferences locked. In such cases, if the machine was left unattended, anyone with physical access to it could change the respective settings.
Apple, however, is already working on addressing the issue. A patch has been included in the latest beta seed of macOS High Sierra (10.13.3) and will be released to all Mac users in a future software update.
In late November, the tech giant patched a critical authentication bypass vulnerability in macOS High Sierra 10.13.1, where anyone could login as root by providing any password. The attack however, was possible only if the root account hadn’t been enabled or a password hadn’t been set for it. However, experts revealed that remote attacks were also possible.