macOS High Sierra flaw unlocks App Store System Preferences with any password, fixed in latest beta

Share this…

There’s a newly discovered security hole in the current version of macOS High Sierra that allows anyone with access to your Mac to unlock your App Store System Preferences without your system password. The impact of this vulnerability doesn’t appear to be severe, but the security feature clearly isn’t working as intended.

The security hole was first publicized from a bug report posted on Open Radar and shared by MacRumors. As the report mentions, the security flaw is present in macOS 10.13.2 which is the current public version of macOS High Sierra, but resolved in the latest beta version of macOS 10.13.3.

We tested this on both the public version and developer beta version of macOS High Sierra and confirmed the issue and fix on our machines as well.

The flaw allows anyone with access to your Mac to enter any password in the App Store section of the System Preferences app which clearly shouldn’t happen. The flaw follows a series of notable security bugs that shipped in recent weeks including the notorious root access flaw that allowed anyone to access critical account settings and more.

The good news is that this bug appears to be limited to the App Store preference page as the padlock does not unlock other sections within System Preferences, so user accounts and other settings can’t be changed.

Many of the settings within the App Store System Preferences window are also protected behind your Apple ID password and can’t be changed using this method, but a nefarious user with physical access to your Mac could toggle the options that fall under the automatic update section.

It’s not known when the fix that is included with macOS 10.13.3 beta will ship to all customers, but hopefully the update will reach users soon.

In the meantime, it’s important to note that the flaw doesn’t share access to private data and only affects Admin users and not Standard users. macOS High Sierra currently defaults the padlock for this preference section to open, but the next update will change this behavior and include the fix.