A new macOS High Sierra bug first uncovered by MacRumors, allows any user running the operating system to change App Store system preferences without a password.
A fix for the the issue is already included in macOS’ next update given that users running the operating system’s 10.13.3 beta have not been able to reproduce it. Thankfully for macOS users, the problem doesn’t allow access to sensitive user information and user and other more integral system preferences can’t be changed without an actual password.
It’s also important to note that in order for the flaw to occur, the admin must first be logged in.
In order to find out if your device is affected by the security flaw, open ‘System Preferences’ on your Mac, and click on ‘App Store.’ If the padlock icon in the bottom window is unlocked, click on it in order to lock it. Next, click on the padlock icon again to prompt an authentication window. A pop up should then appear that prompts the user to enter their username and password.
If your device is affected by the security flaw, input any password in the dialogue box and the padlock will unlock, granting access to the App Store’s preferences. I was able to replicate the security flaw with the 2016 MacBook Pro with TouchBar I’m using that’s running macOS 10.13.2.
Back in November, Apple released a security update to macOS High Sierra that fixed a serious vulnerability that gave users admin access to any Mac without inputting a password. That particular security flaw is likely to go down as one of the most serious to ever be uncovered in the tech space — apart from the Meltdown and Spectre CPU vulnerabilities — especially for an Apple Product.
While App Store preferences likely aren’t anyone’s radar in terms of being a privacy concern, this issue still speaks to some of the problems Apple has been experiencing lately, especially from a security perspective. That said, sensitive information can’t be access through App Store preferences, so the situation certainly could have been worse.
Update 01/12/18: Additional information has been added to the story