Thursday, January 11, 2018

App Store System Preferences Can Be Unlocked With Any Password

Joe Rossignol (Hacker News):

A bug report submitted on Open Radar this week has revealed a security flaw in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password.

[…]

Apple has fixed the bug in the latest beta of macOS 10.13.3, which currently remains in testing and will likely be released at some point this month. The bug doesn’t exist in macOS Sierra version 10.12.6 or earlier.

[…]

It’s worth noting that the App Store preferences are unlocked by default on administrator accounts, and given the settings in this menu aren’t overly sensitive, this bug is not nearly as serious as the earlier root vulnerability.

Michael Love:

This is damning, less in and of itself and more because the fact that it’s architecturally possible suggests that much of OSX security is a facade.

Matt Birchler:

This one event isn’t the end of the world, but this is how reputations degrade over time. Apple needs a software win soon, because it’s really just been a streak of bad news for them for months.

See also: Ryan Jones and Rene Ritchie.

Previously: High Sierra Bug Allows Root Access With Blank Password, Encrypted APFS Volume’s Password Exposed as Hint.

Update (2018-01-11): See also: Lloyd Chambers.

1 Comment RSS · Twitter


[…] Previously: Encrypted APFS Volume’s Password Exposed as Hint, High Sierra Bug Allows Root Access With Blank Password, App Store System Preferences Can Be Unlocked With Any Password. […]

Leave a Comment