Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Desktops (Apple) Privacy Security Apple

macOS High Sierra's App Store System Preferences Can Be Unlocked With Any Password (macrumors.com) 58

A bug report submitted on Open Radar this week reveals a security vulnerability in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password. From a report: MacRumors is able to reproduce the issue on macOS High Sierra version 10.13.2, the latest public release of the operating system, on an administrator-level account by following these steps: 1. Click on System Preferences. 2. Click on App Store. 3. Click on the padlock icon to lock it if necessary. 4. Click on the padlock icon again. 5. Enter your username and any password. 6. Click Unlock.

As mentioned in the radar, System Preferences does not accept an incorrect password with a non-administrator account. We also weren't able to unlock any other System Preferences menus with an incorrect password. We're unable to reproduce the issue on the third or fourth betas of macOS High Sierra 10.13.3, suggesting Apple has fixed the security vulnerability in the upcoming release. However, the update currently remains in testing.

This discussion has been archived. No new comments can be posted.

macOS High Sierra's App Store System Preferences Can Be Unlocked With Any Password

Comments Filter:
  • by Drakonblayde ( 871676 ) on Wednesday January 10, 2018 @04:47PM (#55903627)

    in order to exploit this. Yeah, not really seeing the big deal.

    • by msauve ( 701917 )
      If a password weren't considered important for an admin level user, they simply wouldn't ask for one. Would you consider a sudoer being able to issue privileged commands without doing sudo to be "not a big deal?"
      • by Anonymous Coward

        There is no sudo on any of my boxen. Play with matches on your own HW.

      • If a password weren't considered important for an admin level user, they simply wouldn't ask for one.

        Chances are the authentication GUI prompt is more meant to prevent nefarious processes from automatically executing when an admin is logged in (similar to seeing UAC prompts on Windows, even when running as local admin), which that CAPTCHA-esque interrupt is still important. This merely discovered that when logged in as an administrator, the authentication input is irrelevant.

        Would you consider a sudoer being able to issue privileged commands without doing sudo to be "not a big deal?"

        A sudoer is not really a proper analogy, as that is a normal account you've granted rights to perform escalation. This feature (now

        • by msauve ( 701917 )
          "Chances are the authentication GUI prompt is more meant to prevent nefarious processes"

          I disagree with that as a limit. It's to remind the user that they're about to make a change which may have significant impact (the bug doesn't change that). It requires that a non-admin user get an admin to approve changes (but apparently doesn't change that). It prevents "drive-bys", where someone steps away without locking their PC and a walk up ne'er-do-well tries to make system changes.
    • It's not the first time they've fucked up authentication recently, so you can be sure it's not the last.

  • by Anonymous Coward

    Brought to you Time Cook, the replacement for Steve Jobs.

  • Scary because... (Score:5, Insightful)

    by 110010001000 ( 697113 ) on Wednesday January 10, 2018 @05:00PM (#55903721) Homepage Journal
    ...there seems to be a different auth code path for different padlock unlock/lock actions. Oh brother. So the bug isn't a big deal, but the symptom is troubling.
    • Not really as bad as you think. Some functions in the system control panel can be accessed by normal users. That includes the app store. I think the issue is that once you're there it might let you do things that you shouldn't be able to do.

    • by Anonymous Coward

      Oh brother. So the bug isn't a big deal, but the symptom is troubling.

      What is troubling is how this passes even the most basic QA .... does password prompt accept valid password? Yes ... does password prompt accept invalid password? Yes. It's literally the second (if not the first) test case you would apply.

      I've yet to meet a single tester who wouldn't do that. I've know people who were annoying/awesome software testers ... because they immediately went straight to the "hey, what if I do random shit" le

  • Obviously this isn't a problem for folks who care about computer security as it only impacts OSX.
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Yeah right.

      Someone’s never been to a computer security conference...

  • by joh ( 27088 ) on Wednesday January 10, 2018 @06:10PM (#55904161)

    OK, this has somewhat limited potential, but still... what are they doing at Apple? Such things just should not happen. It's almost as if they're developing macOS as a hobby project, and there are hobby projects that do not have such glaring bugs.

  • ....gaining root access without a password?
  • Forgot my password!

I came, I saw, I deleted all your files.

Working...