macOS High Sierra bug: unlock App Store system preferences with any password

Jason Cross
11 January, 2018
View more articles fromthe author
AAA
Security

Less than two months ago, Apple users discovered a bug in macOS that allowed anyone to log in with root access. Apple apologised and fixed it quickly, but now users on Open Radar have found a similar (but far less severe) macOS password bug.

If you’re running macOS High Sierra, try this:

  1. Open System Preferences.
  2. Click on App Store.
  3. If the padlock is unlocked, click to lock it.
  4. Click the padlock to unlock it.
  5. In the prompt, enter your username and any password.

The App Store preferences pane should unlock. We tried it on a new iMac and MacBook Pro, both with macOS 10.13.2, and it worked.

The bad news is that this is a really easy and fairly serious security vulnerability. The good news is that users running the 10.13.3 beta have not yet been able to reproduce the bug, so it’s probably fixed in that upcoming release.

This is also nowhere near as serious as the root bug was. Allowing anyone with access to your Mac to access your App Store system preferences is bad, but it’s not like it would let them rack up a ton of charges or steal your data (the most lenient setting for purchases is to require your password after 15 minutes).

Apple’s quality problems

Between late November and early December of last year, Apple users were treated to a flurry of problems. The worst was the infamous root bug, which was quickly fixed with a patch that broke file sharing for some users. But we can’t forget the iOS bug where users couldn’t type a capital I. And then iPhones got stuck in a boot loop on 2 December. (We’ll give Apple a pass on Meltdown/Spectre, as that one hit the entire computing industry.)

At the time of the root bug, Apple released a statement saying:

We greatly regret this error and we apologise to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.

Later, Phil Schiller downplayed the notion that there were systemic problems at Apple. “We just had a bad week. A couple of things happened, that’s all.” He once again promised to audit Apple’s systems and processes to prevent this sort of thing from happening again.

And yet here we are, not halfway into January, with another ‘they really should have caught this’ bug. While it’s not nearly as serious as those of the infamous ‘bad week’, it’s still an amateur-hour mistake that makes it easy to question Apple’s renewed commitment to quality.

Leave a Comment

Please keep your comments friendly on the topic.

Contact us