macOS High Sierra's App Store System Preferences Can Be Unlocked With Any Password

A bug report submitted on Open Radar this week reveals a security vulnerability in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password. From a report: MacRumors is able to reproduce the issue on macOS High Sierra version 10.13.2, the latest public release of the operating system, on an administrator-level account by following these steps: 1. Click on System Preferences. 2. Click on App Store. 3. Click on the padlock icon to lock it if necessary. 4. Click on the padlock icon again. 5. Enter your username and any password. 6. Click Unlock.

As mentioned in the radar, System Preferences does not accept an incorrect password with a non-administrator account. We also weren't able to unlock any other System Preferences menus with an incorrect password. We're unable to reproduce the issue on the third or fourth betas of macOS High Sierra 10.13.3, suggesting Apple has fixed the security vulnerability in the upcoming release. However, the update currently remains in testing.

So I have to have root level access...

[Drakonblayde]

in order to exploit this. Yeah, not really seeing the big deal.

Re:

[msauve]

If a password weren't considered important for an admin level user, they simply wouldn't ask for one. Would you consider a sudoer being able to issue privileged commands without doing sudo to be "not a big deal?"

Re:

[Anonymous Coward]

There is no sudo on any of my boxen. Play with matches on your own HW.

Re:So I have to have root level access...

[sexconker]

So when you need to execute a command with root privileges, what do you do?

A) Not execute the command.
B) Use something functionally equivalent to sudo, making your comment absolutely pointless.
C) Login as root, like a moron.

~Re:So I have to have root level access...

[Anonymous Coward]

sudo is for people who don't know what they do i.e. noobs

Re:

[F.Ultra]

He yells upstairs for his mom of course.

Re:

[geekmux]

If a password weren't considered important for an admin level user, they simply wouldn't ask for one.

Chances are the authentication GUI prompt is more meant to prevent nefarious processes from automatically executing when an admin is logged in (similar to seeing UAC prompts on Windows, even when running as local admin), which that CAPTCHA-esque interrupt is still important. This merely discovered that when logged in as an administrator, the authentication input is irrelevant.

Would you consider a sudoer being able to issue privileged commands without doing sudo to be "not a big deal?"

A sudoer is not really a proper analogy, as that is a normal account you've granted rights to perform escalation. This feature (now

Re:

[msauve]

"Chances are the authentication GUI prompt is more meant to prevent nefarious processes"

I disagree with that as a limit. It's to remind the user that they're about to make a change which may have significant impact (the bug doesn't change that). It requires that a non-admin user get an admin to approve changes (but apparently doesn't change that). It prevents "drive-bys", where someone steps away without locking their PC and a walk up ne'er-do-well tries to make system changes.

Re:

[demonlapin]

He's a social justice warrior for log cabin nazism.

See, stuff like this is why I still come here, long after the site has ceased to have much relevance. The trolls are a bit one-note, but they do still have some style.

Re:

[viperidaenz]

It's not the first time they've fucked up authentication recently, so you can be sure it's not the last.

Re:

[omnichad]

That's not what's on the App Store preference pane. It's whether automatic updates are enabled and how long after a app recent purchase before requiring a password again.

By default, this whole pane is unlocked and there's not much reason that most people would go in and lock this pane.

Apple Quality

[Anonymous Coward]

Brought to you Time Cook, the replacement for Steve Jobs.

Re:

[fireman sam]

This issue could be that you (the rightful admin level user) walks away from your computer to get another coffee and forget to lock it. While you're brewing, Mr Evil enters the scene and can unlock the App Store preferences panel without knowing your password.

Now I had a look at what is in this panel, there's not much that can be changed in there. The most "harmful" setting may be to save the store password for 15 minutes for purchasing apps.

Some other truly evil things that can be done in there is to chang

Re:

[sexconker]

Meh, Windows puts UAC a mere click away.

You can't fix stupid. People will walk away without locking their machines, and they will bitch when you force their machines to lock after 10 minutes of inactivity.

If you want a car analogy, walking away from your PC and leaving it unlocked is like leaving your car running, with the door open, while you go to get a cup of coffee in the gas station mini mart. And when your car gets stolen and the thief uses it in the commission of another crime you'll be held respon

Re:

[Timothy Hartman]

What are they going to do from there? Buy apps assuming they know your AppleID? Update your computer to the next patch which will probably fix the issue?

Scary because...

[110010001000]

...there seems to be a different auth code path for different padlock unlock/lock actions. Oh brother. So the bug isn't a big deal, but the symptom is troubling.

Re:

[Trailer Trash]

Not really as bad as you think. Some functions in the system control panel can be accessed by normal users. That includes the app store. I think the issue is that once you're there it might let you do things that you shouldn't be able to do.

Re:

[Anonymous Coward]

Oh brother. So the bug isn't a big deal, but the symptom is troubling.

What is troubling is how this passes even the most basic QA .... does password prompt accept valid password? Yes ... does password prompt accept invalid password? Yes. It's literally the second (if not the first) test case you would apply.

I've yet to meet a single tester who wouldn't do that. I've know people who were annoying/awesome software testers ... because they immediately went straight to the "hey, what if I do random shit" le

Meh.

[kelemvor4]

Obviously this isn't a problem for folks who care about computer security as it only impacts OSX.

Re:

[Anonymous Coward]

Yeah right.

Someone’s never been to a computer security conference...

Apple is sloppy

[HannethCom]

There, fixed the subject for you.
Since March 2001, when OSX was first released, Apple has been lazy about all of OSX security. The biggest culprit usually being extremely slow in updating 3rd party libraries included in the core OS, even when the version of the libraries they are using have known major security problems.
Before 2001, security wasn't even on a lot of people's radar, so before that I'm pretty sure they were lazy about it too.
They aren't just lazy in security either, just look at their UI. U

This is getting ridiculous

[joh]

OK, this has somewhat limited potential, but still... what are they doing at Apple? Such things just should not happen. It's almost as if they're developing macOS as a hobby project, and there are hobby projects that do not have such glaring bugs.

Re: This is getting ridiculous

[Anonymous Coward]

Apple is no longer a computer company. They are all in on the phone and mobile computing. So anything Mac related (ex: macOS, mbp) etc are second rate projects in apples eyes. They make most of their money from slanging phones.

Re:

[bill_mcgonigle]

MacOS is being kept on life support only until an iPhone can reasonably replace one with a wireless KVM. "Mac Mode" has been Steve's dream for more than a decade.

Agreed. It's almost as if the 'High' in Sierra...

[Immerial]

...describes the state of the programmers when they made this version. ;) ba dum tsh

What's next....

[ELCouz]

....gaining root access without a password?

Re:

[F.Ultra]

Just wait for Amazon to patent the "one click login"

Thanks!

[hcs_$reboot]

Forgot my password!