macOS High Sierra's App Store System Preferences Can Be Unlocked With Any Password [Updated]

[Juicy Box]

Update: It's worth noting that the App Store preferences are unlocked by default on administrator accounts. While the seriousness of unauthorized access to the App Store menu is debatable, the underlying bug allowing a password prompt to be bypassed with any password is obviously unacceptable.

Nice update.

I would agree that the issue is not that big of a deal, and has little to no impact on most users.

While the glitch is relatively harmless, the fact that bugs like this are getting past QC/QA just shows that Apple needs to work on this before something a lot less harmless gets released.

 

[WannaGoMac]

I love Apple, but man, they’re getting sloppy.

It's probably because they are struggling financially... oh wait.

 

[IJ Reilly]

As others said, this actually isn’t that big of a deal. It shouldn’t even prompt for a password with the administrator running the account.

Yup, this is another tempest in a teapot, but without an actual teapot.

 

[Dave-Z]

My MacBook keeps inviting me to upgrade* to High Sierra and for the life of me I can't imagine why I continue to decline said invitation.

*All things considered, the word upgrade really ought to be in scare quotes.

 

[BrianM_CAN]

This doesn't work for Network (AD joined) non-admin accounts at least. Tried several ways to get it to unlock, only the actual administrator password worked.

- Based on some others testing it and confirming it works - maybe it only works for local Admin accounts - will test that next.

Tested a Local Admin account - works as described, just have to press OK, don't even need to enter a password - still a bug, but at least it seems to be restricted to local admin accounts - any places using non-admin accounts don't appear to be affected

 

[DevNull0]

You can hide the „update to High Sierra“ in the „Updates“ section in the Mac App Store.
Just hold ctrl and klick on the huge Mac OS High Sierra picture which takes up half of the page. There’s now the option to hide it.

Apple has gone from it just works to it is so obscenely non-obvious though.

I just did what you suggested and now the huge graphic is gone, but I guess I'll see if I keep getting the pestering notification.

It was so bad I spent a lot of time trying to disable notifications entirely to get rid of the message, but it seems that Apple's idea of "disable notifications" is "pause notifications until tomorrow", which is pretty useless. I wish I could permanently disable notification centre on Mac. I hate notifications.

 

[pat500000]

I’m glad i don’t have high sierra.

 

[Analog Kid]

I can't agree with the folks saying this is a non-issue. It's a password. It's there for a reason. Just ignoring the entry is unacceptable, even if what it's protecting is trivial. This wasn't an active decision to ignore the password for trivial settings, this was a bug after another bug that let you gain root without a password and this one could have just as easily been protecting something important. Or the next one could.

This is a drop-everything-and-run-a-top-to-bottom-software-audit class problem, in my opinion.

 

[sdf]

If a user decides to click the lock to secure the preferences, then System Preferences will retain that setting. The bug is that any password is accepted when unlocking the preference, if an admin user is signed in.

No, because the settings there can be directly accessed anyway. That prompt is pure theatre.
[doublepost=1515611169][/doublepost]

I can't agree with the folks saying this is a non-issue. It's a password. It's there for a reason. Just ignoring the entry is unacceptable, even if what it's protecting is trivial. This wasn't an active decision to ignore the password for trivial settings, this was a bug after another bug that let you gain root without a password and this one could have just as easily been protecting something important. Or the next one could.

No, because the things behind this prompt were never protected anyway. They're just plist files. This is the nature of authorization: the user is authorized to make those changes. Authenticated or not, they're still authorized. There's no real security check here (and never has been), just the illusion of one.

 

[WannaGoMac]

I’m glad i don’t have high sierra.

Every time I get close to upgrading some other little bug hits the news.

 

[InuNacho]

Mac OS X Lion 2: The High Sierra

Coming to a computer near you.

 

[GaryMumford]

Running 10.13.1, and I couldn't get it to work.

I'm on 10.13.2 and it worked for me

 

[DNichter]

It's true that Apple has been sucking in terms of security/qa in macOS lately. But there's no indication that this wouldn't happen if the system was based on iOS.

iOS has had its share of lock screen bypass flaws in the past.

I don't know, I feel like they are more on top of iOS security. More slips through the cracks on the macOS side. You're right though, I think it's an overall issue with Apple right now.

 

[OldSchoolMacGuy]

Not that big of a deal since it only works on an admin account - if someone malicious already has access to your admin account's desktop, you already have big problems.

Most are missing this point. If someone can access your admin account, changing your App Store preferences (which can't really do anything bad) is the very least of your worries.

 

[autrefois]

This is just Apple laying the groundwork for upcoming FaceID integration for Macs.

 

[pat500000]

Every time I get close to upgrading some other little bug hits the news.

I’m waiting for later version or will probably stay with sierra.

 

[0958400]

Good old days, when everything worked like clockwork.

I agree, those were great days.

There's lack of vision, there's lack of clarity and structure today.
I wish they'd bring Scott back. He may have been a pain, but heavens, maybe it needs a pain ... to drive things forward.

It needs a vision - not a marketing division. I like Tim, but he's not a visionary, he can crunch numbers. Alas, it seems that no one can bring Steve back.

Sad to see what happens to Apple these days.

 

[belvdr]

Linux is a open system. Completly open in these days

I'm not sure what you're stating here, but macOS is not Linux.

 

[cerote]

Wow, they are just on a roll.

 

[mnsportsgeek]

Apple is lost.

 

[iosuser]

Good for those who frequently forget their password I suppose..

 

[nt5672]

Every OS has flawless faults, really all OS out there. Where's the issue here? Yes there was a bug, a problem or whatever you call it and look - . . . .

Yep, makes sense. Apple does not need to aspire to any level of performance above that acceptable to a teenager. Teenagers don't care, and don't need to be very careful about security, so neither does Apple or its defenders.

 

[kingjames1970]

I think 2018 should see no major new Apple OS releases. Get all OS's rock solid, secure and optimised. I'd happily sacrifice new features for those things. Apple needs to rebuild the trust in 'it just works'.

 

[Gary1580]

"This is the best OS we have ever released"

 

[TheMacDaddy1]

One more reason I chose to leave macOS in 2017. iOS is a much better platform for me moving forward. Has everything I need and a bright future ahead. We need a ground up rework of macOS - based on iOS.

"Has everything I need and a bright future ahead."

So you did not need a computer in the first place?

I wish I could go only iOS apps, however there are half a dozen (at least) Mac Apps that I need to do my job and no current iOS can fill in.

I totally agree Apple has been sloppy lately with macOS and while I don't see this is really serious from a security perspective, it is still going to be bad press for 2-3 days and then the world will forget about it.

macOS is a complex OS, just like many other OS'es and just like all others it can and will have security bugs. I can't go to iOS only and nothing Apple has done with macOS would make want to go with Windows again.