macOS High Sierra's App Store System Preferences Can Be Unlocked With Any Password [Updated]

A bug report submitted on Open Radar this week has revealed a security flaw in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password.

mac app store preferences
MacRumors is able to reproduce the issue on macOS High Sierra version 10.13.2, the latest public release of the operating system, on an administrator-level account by following these steps:

• Click on System Preferences.
• Click on App Store.
• Click on the padlock icon to lock it if necessary.
• Click on the padlock icon again.
• Enter your username and any password.
• Click Unlock.

As mentioned in the radar, we can confirm that the App Store preferences login prompt does not accept an incorrect password with a non-administrator account, meaning there is no behaviour change for standard user accounts.

We also weren't able to bypass any other System Preferences login prompts with an incorrect password, with any type of account, so more sensitive settings such as Users & Groups and Security & Privacy are not exposed by this bug.

Apple has fixed the bug in the latest beta of macOS 10.13.3, which currently remains in testing and will likely be released at some point this month. The bug doesn't exist in macOS Sierra version 10.12.6 or earlier.

On the current macOS 10.13.2, the bug gives anyone with physical, administrator-level access to a Mac the ability to disable settings related to automatically installing macOS software, security, and app updates.

This is the second password-related bug to affect macOS High Sierra in as many months, following a major security vulnerability that enabled access to the root superuser account with a blank password on macOS High Sierra version 10.13.1 that Apple fixed with a supplemental security update.

Following the root password vulnerability, Apple apologized in a statement and added that it was "auditing its development processes to help prevent this from happening again," so this is a rather embarrassing mishap.

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.

It's worth noting that the App Store preferences are unlocked by default on administrator accounts, and given the settings in this menu aren't overly sensitive, this bug is not nearly as serious as the earlier root vulnerability.

Apple will likely want to fix this bug sooner rather than later, so it's possible we'll see a similar supplemental update released at some point, or perhaps it will fast track the release of macOS High Sierra version 10.13.3. Apple did not immediately respond to our request for comment on this matter.

In the meantime, if you keep your App Store preferences behind lock, you'll want to be more diligent in ensuring that you log out of your administrator account when you are away from your Mac. Alternatively, until macOS 10.13.3 is released, users can use a standard account rather than an administrator one.

While this bug isn't as dangerous as the root password vulnerability, being able to bypass a login prompt with any password is something that obviously shouldn't be possible and is an embarrassing oversight for Apple.

Top Rated Comments

Crosscreek Avatar
38 months ago
Oh Apple....Lol

It just works....for anybody.
Score: 99 Votes (Like | Disagree)
OldSchoolMacGuy Avatar
38 months ago
THIS WILL BE THE END OF THE WORLD!

WHAT HAS HAPPENED TO APPLE LATELY!? IF SOMEONE HAD ACCESS TO MY MACHINE THEY COULD CHANGE A COUPLE FAIRLY MEANINGLESS APP STORE PREFERENCES!!!!
Score: 42 Votes (Like | Disagree)
shareef777 Avatar
38 months ago
Passwords: now optional!
Score: 42 Votes (Like | Disagree)
Darryl.Jenks Avatar
38 months ago
Wow. Just wow.
Score: 37 Votes (Like | Disagree)
techno-Zen Avatar
38 months ago
Unreal, maybe focus less on retail store trees and more on stuff like this
Score: 33 Votes (Like | Disagree)
Chupa Chupa Avatar
38 months ago
A tad bit disturbing because it's so blatant and Apple has stated security is a feature of its products. These type of basic omissions belie its claims. Feels like Mac OS is becoming Windows with all these security patch updates. Maybe Apple needs to slow down here a bit and get back to basics.
Score: 30 Votes (Like | Disagree)

Top Stories

maxresdefault

Italy Fines Apple $12 Million for Misleading iPhone Water Resistance Claims

Monday November 30, 2020 3:10 am PST by
Apple has been slapped with a 10 million euro ($12 million) fine by Italy's antitrust watchdog for unfair commercial practices related to its iPhone marketing in the country. One of the Apple ads cited in the Italian watchdog's proceedings (credit: setteBIT) Specifically, Apple is being charged for misleading claims in promotional messages about how deep and how long iPhones can be submerged...
General cyber monday 20 sale feature

Apple Cyber Monday 2020: Discounts on iPads, Macs, AirPods, and More [Updated]

Monday November 30, 2020 6:25 am PST by
Today is Cyber Monday, a shopping event that sees many of the same deals from Black Friday bleed over into a new week, along with a few brand new offers on everything from Apple products to related accessories. In this post we'll highlight the best online discounts that you can find on Apple devices today. Note: MacRumors is an affiliate partner with some of these vendors. When you click a...
iPhone black friday 20 sale feature

Apple Black Friday 2020: Best iPhone Deals

Friday November 27, 2020 12:56 pm PST by
Black Friday is halfway done, but there are still a few deals to shop for on iPhones at carriers like AT&T, Verizon, and T-Mobile/Sprint. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running. AT&T Starting with AT&T, you'll find up to $700 off any iPhone 12 when...
windows 10

Developer Successfully Virtualizes Windows for Arm on M1 Mac

Friday November 27, 2020 7:16 am PST by
Developer Alexander Graf has successfully virtualized the Arm version of Windows on an M1 Mac, proving that the M1 chip is capable of running Microsoft's operating system (via The 8-Bit). Currently, Macs with the M1 chip do not support Windows and there is no Boot Camp feature as there is on Intel Macs, but support for Windows is a feature that many users would like to see. Using the...
Top Stories 38 Feature

Top Stories: Black Friday Deals, Redesigned MacBooks, Hands-On With Apple's M1 Macs

Saturday November 28, 2020 6:00 am PST by
With Apple's holiday hardware lineup seemingly all set, attention this week turned to the shopping end of things with Apple and other retailers rolling out their Black Friday deals. That wasn't the only news this week, however, as we've continued to learn more about Apple's new M1-based Macs and we've even heard some fresh rumors about redesigned Mac notebooks coming next year, so read on...
16 inch MBP Mini Led

Mini-LED M1 MacBook Pro and Mini-LED iPad Pro Models Coming First Half of 2021

Monday November 30, 2020 2:24 am PST by
Apple is widely reported to be embracing mini-LED display backlighting technology for some products next year, and a new report today by DigiTimes has named several of Apple's partners in the supply chain that are expected to benefit from the switch. According to the report, Apple is set to launch its first mini-LED iPad Pro in the first quarter of 2021 and mass produce mini-LED MacBook Pro...
iphone trade in store

UK Environmental Committee Says Apple Contributing to 'Throwaway Culture' of 'Short-Lived Products'

Thursday November 26, 2020 7:07 am PST by
Technology companies like Apple are contributing to e-waste by making their products difficult to repair, and charging expensive repair fees, according to a lengthy report published today by the UK Parliament's Environmental Audit Committee. "We were told that Apple glues and solders parts together on their laptops, which makes repairing them very difficult," the Committee wrote in a summary ...
mac mini macbook pro macbook air

Apple M1 Hands-On Comparison: MacBook Air vs. MacBook Pro vs. Mac Mini

Monday November 23, 2020 3:40 pm PST by
Apple's M1 Macs are out in the wild now, but ahead of the holidays, you might still be trying to figure out which one to pick up, either for yourself or as a gift for someone else. We've got all three of the new Macs available, so we thought we'd give MacRumors readers a hands-on overview of each machine in our latest YouTube video. Subscribe to the MacRumors YouTube channel for more videos. ...
iphone 12 colors

iPhone 12 Colors: Deciding on The Right Color

Thursday November 5, 2020 8:35 am PST by
The iPhone 12 and iPhone 12 Pro arrived last month in a range of color options, with entirely new hues available on both devices, as well as some popular classics. The 12 and 12 Pro have different color choices, so if you have your heart set on a particular shade, you might not be able to get your preferred model in that color. iPhone 12 mini and iPhone 12 The iPhone 12 mini and iPhone 12 are ...
ipadairdesign

2020 iPad Air vs. iPad Pro: Hands-On Comparison

Tuesday October 27, 2020 3:03 pm PDT by
Apple announced the new 2020 fourth-generation iPad Air in September, but the new tablets just started shipping out to customers last Friday. We picked one up and thought we'd do a hands-on comparison with the iPad Pro, which was last updated in March, because both tablets are about as powerful and share many similarities. Subscribe to the MacRumors YouTube channel for more videos. Design and ...