Apple’s High Sierra flaw lets any password open App Store preferences

Your Mac has another bug that lets people log in without your password. But unlike the last time this happened, it only leaves your computer exposed to a bit of mischief.

That proviso won’t stop the bug from raising concerns about the overall quality of Apple’s software. But it means the flaw doesn’t hand anyone the keys to the kingdom.

Let’s compare. In November, users found anyone could log into a Mac with just the user name “root” and no password whatsoever. That’s a serious flaw that undercut the most basic line of security protecting the content of your computer from thieves, or even prying friends, family or co-workers. On Monday, a report surfaced that someone could log into your App Store preferences with any entry into the password field.

A screenshot of the login field for the App Store preferences on a Mac. Any password will do to long into the App Store preferences on a Mac running High Sierra 10.13.2.A screenshot of the login field for the App Store preferences on a Mac. Any password will do to long into the App Store preferences on a Mac running High Sierra 10.13.2.

Any password will do to long into the App Store preferences on a Mac running High Sierra 10.13.2.


CNET

Apple didn’t immediately respond to a request for comment. The issue only comes up when a Mac user is logged in with administrative privileges. For local users, no password is required to change App Store preferences.

CNET confirmed the bug by slapping random keys into the App Store preferences password field on a Mac running the most recent High Sierra operating system (10.13.2). Boom, we were logged in.

But what was next? Now CNET could take full control of, well, the computer’s App Store preferences. Not exactly the kind of all encompassing power one might expect from bypassing a password. What’s more, the computer itself wasn’t locked when CNET struck — just the App Store preferences.

To make this very clear: to take advantage of this flaw, an attacker would have to wait for an unsuspecting Mac user to walk away from their computer without logging out. Then this malicious person would need to rush up to the computer, open up the App Store preferences, and enter any old combination of keystrokes to log in and make changes. Finally, the saboteur could do something as dastardly as getting your computer to stop automatically checking for software updates.

CNET checked on a Mac running the next version of High Sierra (10.13.3), which hasn’t been released to the general public yet, and found that the issue is no longer present.

CNET’s Stephen Shankland contributed to this report. 

Virtual reality 101: CNET tells you everything you need to know about VR.

CNET Magazine: Check out a sample of the stories in CNET’s newsstand edition.

Check Also

The M2 MacBook Air Is the Ultimate Laptop Gift

This story is part of 84 Days of Holiday, a collection that helps you find the perfect gift for anyone. Over the years, I’ve often described Apple’s MacBook Air as the most universally useful laptop you can get (or in this case, give). The latest version, now with Apple’s new M2 chip inside, hits the fresh …

Leave a Reply