macOS High Sierra lets you unlock App Store preferences with any password

Face palm table coffee Apple MacBook

Most of the security vulnerabilities we write about are hard to exploit by the average computer user. I consider myself fairly experienced but, honestly, without a step by step guide I would not be able to "hack" a program or operating system even with the full bug report in front of me. And even then I probably would not know what to do to get any meaningful data from it anyway.

But some security vulnerabilities are so easy to exploit that anyone can do it. Unlocking the App Store menu in System Preferences on macOS High Sierra 10.13 is one of them.

All that you have to do is click on the padlock, enter any password that you want and hit Unlock. I would find it amusing, except we are talking about an Apple product that's used by millions and not a small program created by a new developer who's just learning the ropes.

I tested this security vulnerability on my MacBook Air running macOS High Sierra 10.3.2 (with the supplemental update that Apple released to mitigate the Spectre security vulnerability) using "123", "1", and an empty string as the password. It worked every time.

You can see the result in the slideshow below.

This slideshow requires JavaScript.

As you can notice from the screenshots, there is not a whole lot of damage that one can do by messing around with the App Store settings. The Password Settings group of options, which let the App Store know how you want to handle purchases and in-app passwords as well as free downloads is not affected.

When you want to change either of the two options you are presented with a menu to enter your Apple ID password, which does not have the same vulnerability as the App Store System Preferences menu. So you cannot buy or download apps on that Mac if the user did not choose to save the password before.

What you can do is alter the way that app and operating system updates are checked and installed. So, at worst, you could make it so that the user's Mac stays on older versions of the apps and operating system -- until (if) the user realizes this. So, apparently, it is a harmless security vulnerability.

The effect this is likely to have will be short-lived. Apple will fix this vulnerability in the upcoming macOS High Sierra 10.3.3. What's more, if you do not have an admin account on your Mac, you are safe -- that's not likely to be the case though, as, by default, that's the type of account that the operating system creates.

Photo Credit: FXQuadro/Shutterstock

© 1998-2020 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.