Mac exploit lets you change App Store preferences with any password

Mac exploit lets you change App Store preferences with any password

MacRumors says it was able to replicate the bug, which was first reported on Open Radar, in the latest public version of the operating system: High Sierra version 10.13.2.

With I Am Root still fresh in the memories of users and the recent hoopla over Meltdown and Spectre not yet died-down, this comes at a particularly unwelcome time.

Writing on his Daring Fireball site, tech blogger John Gruber said: 'This one is relatively low stakes.

'But, still, this is embarrassing given what we just went through with the very serious root-access-with-no-password bug'. Fortunately, Apple has confirmed that macOS High Sierra 10.13.3-which is in beta now-corrects the issue (via Macworld).

The bug is reproducible by logging in as a local admin, opening App Store preferences from the System Preferences app, locking the padlock if it's already unlocked and then unlocking again by typing in an incorrect password. Second, the ability to unlock these preferences with any password is only available to local admins, and standard user accounts aren't affected.

MacOS 10.13 High Sierra Update: Security Bug Allows Settings Changes Without Password

Apple is once again dealing with password-related problems as a flaw in the company's MacOS 10.13 High Sierra operating system appears to contain a security flaw that settings to be changed without entering a password.

The discovery no doubt brings back memories of the infamous bug that allowed anyone with root access to a device to log in with the least of a hindrance. Attackers could use that particular vulnerability to install malicious programmes, delete Apple IDs and anything else that they wanted to do.

"We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused". Our customers deserve better.

To exploit the bug, a hacker would need to have physical access to a vulnerable Mac when a user is logged on to the computer.

We should note that these settings are unlocked by default on administrator accounts, as they aren't especially sensitive.


Related Articles