Mac flaw lets you log into App Store preferences with any password
It isn't a huge security concern, but this is the second login bug found in Apple's High Sierra operating system.
Laura HautalaFormer Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
ExpertiseE-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking.Credentials
2022 Eddie Award for a single article in consumer technology
Your Mac has another bug that lets people log in without your password. But unlike the last time this happened, it only leaves your computer exposed to a bit of mischief.
That proviso won't stop the bug from raising concerns about the overall quality of Apple's software. But it means the flaw doesn't hand anyone the keys to the kingdom.
Let's compare. In November, users found anyone could log into a Mac with just the user name "root" and no password whatsoever. That's a serious flaw that undercut the most basic line of security protecting the content of your computer from thieves, or even prying friends, family or co-workers. On Monday, a report surfaced that someone could log into your App Store preferences with any entry into the password field.
Apple didn't immediately respond to a request for comment. The issue only comes up when a Mac user is logged in with administrative privileges. For local users, no password is required to change App Store preferences.
CNET confirmed the bug by slapping random keys into the App Store preferences password field on a Mac running the most recent High Sierra operating system (10.13.2). Boom, we were logged in.
But what was next? Now CNET could take full control of, well, the computer's App Store preferences. Not exactly the kind of all encompassing power one might expect from bypassing a password. What's more, the computer itself wasn't locked when CNET struck -- just the App Store preferences.
To make this very clear: to take advantage of this flaw, an attacker would have to wait for an unsuspecting Mac user to walk away from their computer without logging out. Then this malicious person would need to rush up to the computer, open up the App Store preferences, and enter any old combination of keystrokes to log in and make changes. Finally, the saboteur could do something as dastardly as getting your computer to stop automatically checking for software updates.
CNET checked on a Mac running the next version of High Sierra (10.13.3), which hasn't been released to the general public yet, and found that the issue is no longer present.
CNET's Stephen Shankland contributed to this report.