14 DAY TRIAL // Another major security flaw was discovered in Apple's macOS High Sierra 10.13 operating system, which lets anyone accessing the App Store preferences panel with any password if it's locked.
First spotted by MacRumors, there's a bug report about an issue, discovered a couple of days ago by someone and reported on Open Radar, which lets anyone access the App Store panel in System Preferences with literally any password, if the padlock at the bottom left corner is closed and your Mac is unlocked.
Usually, that padlock isn't locked, but its label says "Click the lock to prevent further changes" in the current version of macOS, a.k.a. High Sierra 10.13.2. Locking those settings should prevent someone from disabling automatic updates, as well as installing of new macOS versions, system data files, and security update.
It doesn't even need a username or a password
The bug is even worse than initially reported, as it doesn't even need a username or a password, so someone who has access to your Mac, if you forgot to unlock it for a few minutes, can change any of those settings and prank you. The authorization dialog usually asks for your password as the username is already filled.
Well, we've just tested the bug on two Macs, and it allows us to access the App Store settings in the Preferences panel using any password, really, anything, even one letter or one number. On top of that, you can type any other user you can think off in the username field, with or without a password, and it works.
According to MacRumors, the bug isn't there on the latest macOS High Sierra 10.13.3 beta, which means that Apple knew about it and fixed it accordingly. But the problem is that most of the world still uses macOS 10.13.2 or 10.13.1 or even 10.13 on their Macs, and the macOS 10.13.3 software update is weeks away.
Update 23/01/2018: Apple patched this security vulnerability with the macOS High Sierra 10.13.3 software update released on January 23, 2018.
