{"id":20129,"date":"2018-01-11T13:09:43","date_gmt":"2018-01-11T18:09:43","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=20129"},"modified":"2018-01-11T21:03:06","modified_gmt":"2018-01-12T02:03:06","slug":"app-store-system-preferences-can-be-unlocked-with-any-password","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2018\/01\/11\/app-store-system-preferences-can-be-unlocked-with-any-password\/","title":{"rendered":"App Store System Preferences Can Be Unlocked With Any Password"},"content":{"rendered":"<p><a href=\"https:\/\/www.macrumors.com\/2018\/01\/10\/macos-high-sierra-app-store-password-bug\/\">Joe Rossignol<\/a> (<a href=\"https:\/\/news.ycombinator.com\/item?id=16116499\">Hacker News<\/a>):<\/p>\n<blockquote cite=\"https:\/\/www.macrumors.com\/2018\/01\/10\/macos-high-sierra-app-store-password-bug\/\">\n<p>A bug report <a href=\"https:\/\/openradar.appspot.com\/36350507\">submitted on Open Radar<\/a> this week has revealed a security flaw in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password.<\/p>\n<p>[&#8230;]<\/p>\n<p>Apple has fixed the bug in the latest beta of macOS 10.13.3, which currently remains in testing and will likely be released at some point this month. The bug doesn&rsquo;t exist in macOS Sierra version 10.12.6 or earlier.<\/p>\n<p>[&#8230;]<\/p>\n<p>It&rsquo;s worth noting that the App Store preferences are unlocked by default on administrator accounts, and given the settings in this menu aren&rsquo;t overly sensitive, this bug is not nearly as serious as the earlier root vulnerability.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/twitter.com\/elkmovie\/status\/951132473529860097\">Michael Love<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/elkmovie\/status\/951132473529860097\"><p>This is damning, less in and of itself and more because the fact that it&rsquo;s architecturally possible suggests that much of OSX security is a facade.<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/birchtree.me\/blog\/macos-high-sierra-has-yet-another-password-bug\/\">Matt Birchler<\/a>:<\/p>\n<blockquote cite=\"https:\/\/birchtree.me\/blog\/macos-high-sierra-has-yet-another-password-bug\/\">\n<p>This one event isn&rsquo;t the end of the world, but this is how reputations degrade over time. Apple needs a software win soon, because it&rsquo;s really just been a streak of bad news for them for months.<\/p>\n<\/blockquote>\n\n<p>See also: <a href=\"https:\/\/twitter.com\/rjonesy\/status\/951140842416242689\">Ryan Jones<\/a> and <a href=\"https:\/\/twitter.com\/reneritchie\/status\/951210745668173825\">Rene Ritchie<\/a>.<\/p>\n\n<p>Previously: <a href=\"https:\/\/mjtsai.com\/blog\/2017\/11\/29\/high-sierra-bug-allows-root-access-with-blank-password\/\">High Sierra Bug Allows Root Access With Blank Password<\/a>, <a href=\"https:\/\/mjtsai.com\/blog\/2017\/10\/05\/encrypted-apfs-volumes-password-exposed-as-hint\/\">Encrypted APFS Volume&rsquo;s Password Exposed as Hint<\/a>.<\/p>\n\n<p>Update (2018-01-11): See also: <a href=\"https:\/\/macperformanceguide.com\/blog\/2018\/20180110_0900-macOS-security-AppStorePreferencesUnlock.html\">Lloyd Chambers<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"<p>Joe Rossignol (Hacker News): A bug report submitted on Open Radar this week has revealed a security flaw in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password. [&#8230;] Apple has fixed the bug in the latest beta of macOS 10.13.3, which [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[],"tags":[1143,131,30,39,1529,48,1181],"class_list":["post-20129","post","type-post","status-publish","format-standard","hentry","tag-apple-software-quality","tag-bug","tag-mac","tag-macappstore","tag-macos-10-13","tag-security","tag-system-preferences"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/20129","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=20129"}],"version-history":[{"count":3,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/20129\/revisions"}],"predecessor-version":[{"id":20146,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/20129\/revisions\/20146"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=20129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=20129"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=20129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}