macOS High Sierra's App Store System Preferences Can Be Unlocked With Any Password [Updated]

[pika2000]

This is just beyond silly, alongside the previous password related bugs. I realize that as a modern OS, macOS is very complex. But authentications like these shouldn't change drastically from OS to OS.

 

[macnerd77]

Hmm I am unable to replicate this. Maybe its because I am on 10.13.3 public beta.

 

[MrGuder]

I keep saying I want to upgrade my MacBook Pro from Sierra to HS but then I see these articles and I say no I'll just stay on Sierra.

 

[M2M]

That’s why I always ask my testers for a positive and a negative test. @Apple contact me if you need someone to support your QA/QC.

 

[Mcmeowmers]

This bug doesn't work for me. It definitely does not unlock for me

 

[ulyssesric]

I don't even know that there is a lock in App Store preference.
Precisely: I can't even remember when I opened App Store preference last time.

 

[BaltimoreMediaBlog]

Meanwhile Timmy is still playing with his Animoji.

The daily OS updates and required reboots are starting to make me think that Microsoft should do a spoof commercial of Apple's flubs. They are certainly adding up.

 

[Burger Thing]

THIS WILL BE THE END OF THE WORLD!

WHAT HAS HAPPENED TO APPLE LATELY!?

IF SOMEONE HAD ACCESS TO MY MACHINE THEY COULD CHANGE A COUPLE FAIRLY MEANINGLESS APP STORE PREFERENCES!!!!

Since you are asking:

 

[LauraJean]

I just paid a visit to Apple's jobs page, checked "Information Systems and Technology", entered key words "software tester", and 43 jobs came up. Examples:

For "Sr. Software Development Engineer":
Key Qualifications

• Deep interest in testing methodologies and techniques for minimizing risk and maximizing software quality

For "iDMS Software Engineer, QA" [To work in Apple’s Identity Management Services QA group]:

"...The QA Engineer in this role will play a key function in delivering highly critical Identity Management/Authentication features to internal and external customers on OS X, iOS, and Web in addition to supporting the development of internal test automation & test management tools...."

My guess is that in recent years, for whatever reason, a lot of seasoned employees left, and their replacements are not of the same calibre.

 

[HormyAJP]

No you're not. This just isn't a major issue. My concern is that it's a further indicator of Apple's failure to do proper QA on security related issues in the recent past.

Agree on the point around QA. However, there is one interesting attack vector here. You can totally disable automatic OS updates and installs. So if someone exploits this vulnerability then they can freeze a user's machine on a particular OS version and leave them permanently vulnerable to this and any existing bugs. Effectively permanently pwning their machine.

I think Apple will need to force reset people's settings here to get around this.

 

[Virinprew]

This High Sierra is a mess.

 

[pat500000]

(Star trek narrative voice)
Quality....where no man had experienced before. (Classic star trek theme song)

 

[chrfr]

Agree on the point around QA. However, there is one interesting attack vector here. You can totally disable automatic OS updates and installs. So if someone exploits this vulnerability then they can freeze a user's machine on a particular OS version and leave them permanently vulnerable to this and any existing bugs. Effectively permanently pwning their machine.

I think Apple will need to force reset people's settings here to get around this.

Again, remember the default setting is that this preference isn’t locked for admin users anyway, and in fact, in El Capitan, there isn’t even a lock on the App Store preference at all, unless the requirement to require a password for system wide preferences is turned on.

 

[pratikindia]

Quality control at Apple is all time low. What a shame.

 

[Skoal]

OMG if Steve Jobs was still alive bla bla bla . Apple is doomed bla bla bla bla

 

[groove-agent]

I'm not sure I'd like to work in iOS exclusively, but I do agree (despite what Apple insists) that a convergence of the two operating systems would be more practical in many ways. I think Windows 10 proved that this is possible with Windows 10.

One more reason I chose to leave macOS in 2017. iOS is a much better platform for me moving forward. Has everything I need and a bright future ahead. We need a ground up rework of macOS - based on iOS.

 

[Skoal]

Ever since Steve Jobs died...

Ya Jobs NEVER had multiple failures of products in his career, lol
[doublepost=1515641225][/doublepost]

Good old days, when everything worked like clockwork.

Lol ya right. I want what you're smoking!

 

[jdawgnoonan]

I like Apple, I am typing this on an iPhone X (best phone ever created in my opinion). Apple sure is getting a lot of black eyes lately, and their quality control processes for software releases are obviously insufficient. Come on Apple. My Windows box is more secure than my Mac thanks to your lackadaisical quality control.

 

[OneMike]

What’s going on Apple

 

[Glockworkorange]

Wow. Just wow.

Unbelievabl. They’ve been doing a lot of apologizing lately.

Would this be considered a qualify control issue? Between these QA problems and just terrible shipping and delays on brand new products (air pods, iPhone 7 last year, Home Pod, 2015 re-designed MacBook, etc?), Apple is having a lot of issues.

Waiting for Rene Ritchie to come to Apple’s rescue and explain all of this away in 3, 2, 1...

 

[Skoal]

I agree, those were great days.

There's lack of vision, there's lack of clarity and structure today.
I wish they'd bring Scott back. He may have been a pain, but heavens, maybe it needs a pain ... to drive things forward.

It needs a vision - not a marketing division. I like Tim, but he's not a visionary, he can crunch numbers. Alas, it seems that no one can bring Steve back.

Sad to see what happens to Apple these days.

Disagree. Scott may have been able to get stuff done but his aesthetics were pure cartoonish. Yuck!

 

[applefan69]

A tad bit disturbing because it's so blatant and Apple has stated security is a feature of its products. These type of basic omissions belie its claims. Feels like Mac OS is becoming Windows with all these security patch updates. Maybe Apple needs to slow down here a bit and get back to basics.

Ive been feeling this way for a couple years now, pretty sure lots of us have.
[doublepost=1515642973][/doublepost]

In the "good ol' days" of Apple I was always running the latest macOS. For the past several years I've been staying one release behind (I just upgraded to Sierra a couple of weeks ago).

You mean in the Mac OS X days ... seems to be the turning point IMO. Probably only a coincidence though.

 

[Skoal]

Are we forgetting the Charging, cellular speed, BT, AirPods connect, Data loss, Touch ID, iMessage activation, Siri gone walk about, safari crashers, reboot loop, wont turn on, auto correct letters!!!!, slide stuck on upgrade, email/exchange, slowdown/lagging, 2nd december and Battery life issues...???

And thats just off the top of my head... iOS is worse,

Man I'm glad I've experienced none of that....nor on iOS! And I run all beta software.
[doublepost=1515643443][/doublepost]

Agree on the point around QA. However, there is one interesting attack vector here. You can totally disable automatic OS updates and installs. So if someone exploits this vulnerability then they can freeze a user's machine on a particular OS version and leave them permanently vulnerable to this and any existing bugs. Effectively permanently pwning their machine.

I think Apple will need to force reset people's settings here to get around this.

Or people can not be lazy and check for updates themselves. I mean, since people seem so up in arms over security flaws. Take control of what you can and stay on top of updates.

 

[Skeptical.me]

A bug report submitted on Open Radar this week has revealed a security flaw in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password.

MacRumors is able to reproduce the issue on macOS High Sierra version 10.13.2, the latest public release of the operating system, on an administrator-level account by following these steps:

o Click on System Preferences.
o Click on App Store.
o Click on the padlock icon to lock it if necessary.
o Click on the padlock icon again.
o Enter your username and any password.
o Click Unlock.

As mentioned in the radar, we can confirm that the App Store preferences login prompt does not accept an incorrect password with a non-administrator account, meaning there is no behaviour change for standard user accounts.

We also weren't able to bypass any other System Preferences login prompts with an incorrect password, with any type of account, so more sensitive settings such as Users & Groups and Security & Privacy are not exposed by this bug.

Apple has fixed the bug in the latest beta of macOS 10.13.3, which currently remains in testing and will likely be released at some point this month. The bug doesn't exist in macOS Sierra version 10.12.6 or earlier.

On the current macOS 10.13.2, the bug gives anyone with physical, administrator-level access to a Mac the ability to disable settings related to automatically installing macOS software, security, and app updates.

This is the second password-related bug to affect macOS High Sierra in as many months, following a major security vulnerability that enabled access to the root superuser account with a blank password on macOS High Sierra version 10.13.1 that Apple fixed with a supplemental security update.

Following the root password vulnerability, Apple apologized in a statement and added that it was "auditing its development processes to help prevent this from happening again," so this is a rather embarrassing mishap.It's worth noting that the App Store preferences are unlocked by default on administrator accounts, and given the settings in this menu aren't overly sensitive, this bug is not nearly as serious as the earlier root vulnerability.

Apple will likely want to fix this bug sooner rather than later, so it's possible we'll see a similar supplemental update released at some point, or perhaps it will fast track the release of macOS High Sierra version 10.13.3. Apple did not immediately respond to our request for comment on this matter.

In the meantime, if you keep your App Store preferences behind lock, you'll want to be more diligent in ensuring that you log out of your administrator account when you are away from your Mac. Alternatively, until macOS 10.13.3 is released, users can use a standard account rather than an administrator one.

While this bug isn't as dangerous as the root password vulnerability, being able to bypass a login prompt with any password is something that obviously shouldn't be possible and is an embarrassing oversight for Apple.

Article Link: macOS High Sierra's App Store System Preferences Can Be Unlocked With Any Password [Updated]

Yup, replicated this issue.

Thank goodness it doesn't affect more important settings protected by the admin password.

 

[typicaluser]

Unreal, maybe focus less on retail store trees and more on stuff like this

Apple software would be the first and foremost victim of loss of Steve and Scott lately, as I expected.