macOS High Sierra's App Store System Preferences Can Be Unlocked With Any Password [Updated]

A bug report submitted on Open Radar this week has revealed a security flaw in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password.


MacRumors is able to reproduce the issue on macOS High Sierra version 10.13.2, the latest public release of the operating system, on an administrator-level account by following these steps:

• Click on System Preferences.
• Click on App Store.
• Click on the padlock icon to lock it if necessary.
• Click on the padlock icon again.
• Enter your username and any password.
• Click Unlock.

As mentioned in the radar, we can confirm that the App Store preferences login prompt does not accept an incorrect password with a non-administrator account, meaning there is no behaviour change for standard user accounts.

We also weren't able to bypass any other System Preferences login prompts with an incorrect password, with any type of account, so more sensitive settings such as Users & Groups and Security & Privacy are not exposed by this bug.

Apple has fixed the bug in the latest beta of macOS 10.13.3, which currently remains in testing and will likely be released at some point this month. The bug doesn't exist in macOS Sierra version 10.12.6 or earlier.

On the current macOS 10.13.2, the bug gives anyone with physical, administrator-level access to a Mac the ability to disable settings related to automatically installing macOS software, security, and app updates.

This is the second password-related bug to affect macOS High Sierra in as many months, following a major security vulnerability that enabled access to the root superuser account with a blank password on macOS High Sierra version 10.13.1 that Apple fixed with a supplemental security update.

Following the root password vulnerability, Apple apologized in a statement and added that it was "auditing its development processes to help prevent this from happening again," so this is a rather embarrassing mishap.

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.

It's worth noting that the App Store preferences are unlocked by default on administrator accounts, and given the settings in this menu aren't overly sensitive, this bug is not nearly as serious as the earlier root vulnerability.

Apple will likely want to fix this bug sooner rather than later, so it's possible we'll see a similar supplemental update released at some point, or perhaps it will fast track the release of macOS High Sierra version 10.13.3. Apple did not immediately respond to our request for comment on this matter.

In the meantime, if you keep your App Store preferences behind lock, you'll want to be more diligent in ensuring that you log out of your administrator account when you are away from your Mac. Alternatively, until macOS 10.13.3 is released, users can use a standard account rather than an administrator one.

While this bug isn't as dangerous as the root password vulnerability, being able to bypass a login prompt with any password is something that obviously shouldn't be possible and is an embarrassing oversight for Apple.

Top Rated Comments

(View all)
Avatar
29 months ago
Oh Apple....Lol

It just works....for anybody.
Score: 99 Votes (Like | Disagree)
Avatar
29 months ago
THIS WILL BE THE END OF THE WORLD!

WHAT HAS HAPPENED TO APPLE LATELY!? IF SOMEONE HAD ACCESS TO MY MACHINE THEY COULD CHANGE A COUPLE FAIRLY MEANINGLESS APP STORE PREFERENCES!!!!
Score: 42 Votes (Like | Disagree)
Avatar
29 months ago
Passwords: now optional!
Score: 42 Votes (Like | Disagree)
Avatar
29 months ago
Wow. Just wow.
Score: 37 Votes (Like | Disagree)
Avatar
29 months ago
Unreal, maybe focus less on retail store trees and more on stuff like this
Score: 33 Votes (Like | Disagree)
Avatar
29 months ago
A tad bit disturbing because it's so blatant and Apple has stated security is a feature of its products. These type of basic omissions belie its claims. Feels like Mac OS is becoming Windows with all these security patch updates. Maybe Apple needs to slow down here a bit and get back to basics.
Score: 30 Votes (Like | Disagree)

Top Stories

Apple Releases iOS and iPadOS 13.4 With New Mail Toolbar, iCloud Folder Sharing, Trackpad Support for iPad and More

Tuesday March 24, 2020 9:56 am PDT by Juli Clover
Apple today released iOS and iPadOS 13.4, the latest major updates to the iOS 13 operating system that was released in September. iOS and iPadOS 13.4 come two months after the release of iOS and iPadOS 13.3.1 with Screen Time Communication Limits. The iOS and ‌iPadOS‌ 13.4 updates are available on all eligible devices over-the-air in the Settings app. To access the updates, go to...

Apple Releases macOS Catalina 10.15.4 With Screen Time Communication Limits and Real-Time Apple Music Lyrics

Tuesday March 24, 2020 10:21 am PDT by Juli Clover
Apple today released macOS Catalina 10.15.4, the fourth update to the macOS Catalina operating system that was released in October. macOS Catalina 10.15.4 comes a couple of months after the release of macOS Catalina 10.15.3. macOS Catalina 10.15.4 can be downloaded from the Mac App Store for free using the Update feature in the System Preferences app. The macOS Catalina 10.15.4 update...

Hands-On With Apple's New Smart Keyboard Folio for the 2020 iPad Pro Models

Tuesday March 24, 2020 12:38 pm PDT by Juli Clover
Apple last week introduced new 11 and 12.9-inch iPad Pro models, which are set to arrive in the hands of customers starting this week. Apple introduced a nifty new Magic Keyboard with trackpad alongside the new iPad Pro models that's coming in May, but it also debuted a new Smart Keyboard Folio, which is available now. We picked up the Smart Keyboard Folio for the designed for the 2020 iPad...

Apple Helps Source Over 10 Million N95 Masks for Healthcare Providers in the U.S.

Wednesday March 25, 2020 10:25 am PDT by Juli Clover
Apple over the weekend announced plans to donate millions of N95 masks to hospitals in the United States and Europe, and according to Apple CEO Tim Cook, Apple has been able to source more than 10 million N95 masks in the U.S. and millions more in Europe. Apple CEO Tim Cook said on Saturday that Apple was aiming to donate supplies to healthcare providers fighting COVID-19, and clarified...

Apple Considering Delaying iPhone 12 Launch 'by Months'

Wednesday March 25, 2020 12:51 pm PDT by Juli Clover
Apple is preparing to delay the launch of the 2020 iPhones expected to be equipped with 5G technology, according to sources with knowledge of Apple's plans that spoke to Japanese news site Nikkei. Apple has reportedly held internal discussions about the possibility of delaying the launch "by months" over fears of how well iPhones would sell in the current situation, and supply chain sources...

2020 iPad Pro Unboxing Videos and First Impressions

Tuesday March 24, 2020 5:34 am PDT by Joe Rossignol
Apple last week introduced new iPad Pro models with an similar performing A12Z Bionic chip, an Ultra Wide camera for 0.5x zoom, and a LiDAR Scanner for enhanced augmented reality. The new iPad Pro models will begin arriving to customers and go on sale at select stores starting tomorrow, and ahead of time, the first unboxing videos have surfaced. The new iPad Pro models will be compatible with A...

Hands-On With the New 2020 12.9-Inch iPad Pro

Wednesday March 25, 2020 2:10 pm PDT by Juli Clover
Apple last week announced new 11 and 12.9-inch iPad Pro models, and as of today, the new iPads are arriving to customers. We picked up one of the new 12.9-inch models and checked it out to see just what's new and whether it's worth buying. Subscribe to the MacRumors YouTube channel for more videos. When it comes to design, the new iPad Pro models are identical to the 2018 iPad Pro models, but ...

Mobile Networks in Multiple Countries Display 'Stay Home' Message When Users Connect to Cellular Instead of WiFi

Tuesday March 24, 2020 3:46 pm PDT by Juli Clover
iPhone users in several countries who disconnect from WiFi on their devices will see a "Stay Home" message at the top of the Control Center where cellular network information is displayed. Image via Matt Navarra According to reports on Twitter, the status bar messages are showing up in countries that include Germany, Belgium, United Arab Emirates, Peru, Turkey, India, Luxembourg, Romania,...

Apple Releases tvOS 13.4 for Fourth and Fifth-Generation Apple TV Models

Tuesday March 24, 2020 9:53 am PDT by Juli Clover
Apple today released tvOS 13.4, the third major update to the tvOS operating system that runs on the fourth and fifth-generation Apple TV models. tvOS 13.4 comes a couple of months after the release of tvOS 13.3.1. tvOS 13.4, a free update, can be downloaded over the air through the Settings app on the Apple TV by going to System > Software Update. Apple TV owners who have automatic software ...

Benchmarks Suggest New iPad Pro's A12Z Chip is Nearly Identical to A12X in 2018 iPad Pro

Monday March 23, 2020 7:18 pm PDT by Juli Clover
One of the new 2020 iPad Pro models equipped with an A12Z chip arrived early to a Reddit user, who did some benchmarking tests to see how it performs. In a Geekbench 5 test, the 11-inch 2020 iPad Pro earned a single-core score of 1114 and a multi-core score of 4654, which is close to the Geekbench scores of the 11-inch iPad Pro from 2018. The 11-inch iPad Pro has an aggregate single-core G...