Wednesday, 10 January 2018

macOS High Sierra's App Store System Preferences Can Be Unlocked With Any Password

A bug report submitted on Open Radar this week reveals a major security vulnerability in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password. 

MacRumors is able to reproduce the issue on macOS High Sierra version 10.13.2, the latest public release of the operating system, on an administrator-level account by following these steps:

• Click on System Preferences.
• Click on App Store.
• Click on the padlock icon to lock it if necessary.
• Click on the padlock icon again.
• Enter your username and any password.
• Click Unlock.

As mentioned in the radar, System Preferences does not accept an incorrect password with a non-administrator account.

We're unable to reproduce the issue on the third or fourth betas of macOS High Sierra 10.13.3, suggesting Apple has fixed the security vulnerability in the upcoming release. However, the update currently remains in testing.

MacRumors is also unable to reproduce the issue on macOS Sierra version 10.12.6, suggesting the issue affects macOS High Sierra only.

The implications of this security vulnerability are rather serious. Anyone with physical or remote access to your Mac could unlock the App Store preferences and enable or disable settings to automatically install macOS updates, app updates, system data files, and, ironically, even security updates.

This is the second major password-related bug to affect macOS High Sierra in as many months, following a major security vulnerability that enabled access to the root superuser account with a blank password on macOS High Sierra version 10.13.1 that Apple fixed with a supplemental security update.

Apple will likely want to fix this latest security vulnerability as quickly as possible, so it's possible we'll see a similar supplemental update released, or perhaps it will fast track the release of macOS High Sierra version 10.13.3. Apple did not immediately respond to our request for comment on this matter.

In the meantime, we can't think of an obvious workaround for this issue, so if you keep your App Store preferences behind lock, you'll want to keep a close eye on your Mac until further notice. If we learn of a solution, we'll share it.

We're still investigating further to confirm if macOS High Sierra versions 10.13 or 10.13.1 are affected. We'll update this article as we learn more.