Yet another password vulnerability has been uncovered in macOS High Sierra, which unlocks App Store System Preferences with any password (or no password at all).
A brand new password bug has been discovered inside latest type of macOS High Sierra that will allows anyone with access to your Mac to unlock App Store menu in System Preferences with any random password or no password at all.
The impact of This particular vulnerability is usually nowhere as serious as the previously disclosed root login bug in Apple’s desktop OS that will enabled access to the root superuser account simply by entering a blank password on macOS High Sierra 10.13.1.
As reported on Open Radar earlier This particular week, the vulnerability impacts macOS type 10.13.2 as well as also requires the attacker to be logged in with an administrator-level account just for This particular vulnerability to work.
I checked the bug on my fully updated Mac laptop, as well as also the idea worked by entering a blank password as well as any random password.
If you’re running latest macOS High Sierra, check yourself:
- Log in as a local administrator
- Go to System Preferences as well as also then App Store
- Click on the padlock icon (double-click on the lock if the idea is usually already unlocked)
- Enter any random password (or leave the idea blank) in login window
- Click Unlock, Ta-da!
Once done, you’ll gain full access to App Store settings, allowing you to modify settings like disabling automatic installation of macOS updates, app updates, system data files as well as also even security updates that will would likely patch vulnerabilities.
We also tried to reproduce the same bug on the latest developer beta 4 of macOS High Sierra 10.13.3, however the idea did not work, suggesting Apple probably already knows about This particular issue as well as also you’ll likely get a fix in This particular upcoming software update.
What’s wrong with password prompts in macOS? the idea’s high time Apple should stop shipping updates with such an embarrassing bug.
Apple also patched a similar vulnerability in October in macOS, which affected encrypted volumes using APFS wherein the password hint section was showing the actual password of the user inside plain text.