Yet another password vulnerability has been uncovered in macOS High Sierra, which unlocks App Store System Preferences with any password (or no password at all).
A brand-new password bug has been discovered within the latest variation of macOS High Sierra which allows anyone with access to your Mac to unlock App Store menu in System Preferences with any random password or no password at all.
The impact of This particular vulnerability will be nowhere as serious as the previously disclosed root login bug in Apple’s desktop OS which enabled access to the root superuser account simply by entering a blank password on macOS High Sierra 10.13.1.
As reported on Open Radar earlier This particular week, the vulnerability impacts macOS variation 10.13.2 along with requires the attacker to be logged in with an administrator-level account with This particular vulnerability to work.
I checked the bug on my fully updated Mac laptop, along with the item worked by entering a blank password as well as any random password.
If you’re running latest macOS High Sierra, check yourself:
- Log in as a local administrator
- Go to System Preferences along with then App Store
- Click on the padlock icon (double-click on the lock if the item will be already unlocked)
- Enter any random password (or leave the item blank) in login window
- Click Unlock, Ta-da!
Once done, you’ll gain full access to App Store settings, allowing you to modify settings like disabling automatic installation of macOS updates, app updates, system data files along with even security updates which would certainly patch vulnerabilities.
We also tried to reproduce the same bug on the latest developer beta 4 of macOS High Sierra 10.13.3, however the item did not work, suggesting Apple probably already knows about This particular issue along with you’ll likely get a fix in This particular upcoming software update.
What’s wrong with password prompts in macOS? the item’s high time Apple should stop shipping updates with such an embarrassing bug.
Apple also patched a similar vulnerability in October in macOS, which affected encrypted volumes using APFS wherein the password hint section was showing the actual password of the user within the plain text.