Mac password flaw leaves Apple red-faced

Adjust Comment Print

There is a security flaw in the most recent edition of macOSHigh Sierra, version 10.13.2, that allows users to unlock the App Store menu in System Preferences without knowing the password.

Using the fault, they could disable automatic security updates to take advantage of system vulnerabilities that are regularly patched in the future. So, at worst, you could make it so that the user's Mac stays on older versions of the apps and operating system - until (if) the user realizes this.

The new flaw, uncovered by Eric Holtam, an IT systems administrator, and posted to Open Radar, a bug-reporting website, is troubling nonetheless.

Assuming the attacker would be able to gain such access, they would still only be able to change the user's preferences in the App Store.

Enter your user name and any password.

The bug is nowhere near as risky as the root-access security flaw that was uncovered previous year, whereby attackers could gain root access to MacOS computers by typing "root" in the username field and leaving the password field blank.

'But, still, this is embarrassing given what we just went through with the very serious root-access-with-no-password bug'.

Golden Globes bring scant focus to wide-open Oscar race
Kirk Douglas, 101, appearing with his daughter-in-law, Catherin Zeta-Jones, received a warm standing ovation. Allison Janney took best supporting actress in a comedy for the Tonya Harding tale " I, Tonya ".


Apple has also introduced a fix in the latest beta of macOS (version 10.13.3), which should show up in an update sometime later this month.

All that you have to do is click on the padlock, enter any password that you want and hit Unlock. There's no current workaround to this issue, so the only real option is to wait for Apple to provide a solution.

'Our customers deserve better. "We are auditing our development processes to help prevent this from happening again", Apple said in a statement.

Most of the security vulnerabilities we write about are hard to exploit by the average computer user.

Numerous settings within the App Store System Preferences window are also protected behind your Apple ID password and can't be changed using this method, but a nefarious user with physical access to your Mac could toggle the options that fall under the automatic update section.

Root accounts give users complete control over a machine.

Comments