Yet Another Password Vulnerability Has Been Found In macOS High Sierra 

For the third time in recent months, big problems have been discovered with macOS High Sierra.

In September, a security researcher named Patrick Wardle discovered an exploit to snag plaintext passwords from Keychain. Two months later, software developer Lemi Orhan Ergin realised that gaining root access to High Sierra machines was essentially as easy as inputting the username "root", no password required. And now, Macrumors reports, a gaping hole has been found that could affect a Mac user's security.

A bug report on Open Radar from earlier this week - affecting version 10.13.2 - allows any user to change the App Store system preferences without a real password, in five steps or fewer:

1) Log in as a local admin

2) Open App Store Prefpane from the System Preferences

3) Lock the padlock if it is already unlocked

4) Click the lock to unlock it

5) Enter any bogus password

If a machines is already unlocked, someone with malicious intent could easily turn off "automatically check for updates", leaving a machine's current bugs unpatched. Is it as serious a vulnerability as gaining root access? Of course not. But the purpose of a password field is to deny entry to those without it - a basic feature of modern computing. Fortunately, according to Macrumors' tests, the issue appears to be resolved in the forthcoming 10.13.3 update - which you wouldn't be alerted to if automatic updates is turned off.

2017 was a grim year for Apple, as bugs, vulnerabilities and public gaffes piled up against the company that built its image on slick, highly designed products. Hopefully the App Store settings exploit isn't an indicator of what's to come.




    If a machines is already unlocked
    and logged in as a local admin.

    Is it as serious a vulnerability as gaining root access? Of course not.
    If the machine is logged in to a local admin account and unlocked there is a heck of a lot of damage that can be done even without true root access.

    Is it bad? Definitely. But given step 3
    3) Lock the padlock if it is already unlocked
    and given that the App Store preferences are unlocked by default on administrator accounts, this is pretty much complete non-issue apart from the fact that there is clearly something funky going on somewhere.

    I think the critical take away from this is that security audits are becoming better and better. Instead of looking at this as an issue we should see it as beneficial to helping developers like myself improve code that has a possibility of causing harm to end-users. With that said, it's hard to see how this "bug" will threaten the security of everyday users since you need access to the admin account first and that just doesn't happen these days easily.

    To me, it's a minor keychain bug that Apple can and will fix next week.

Join the discussion!