X

Mac flaw lets you log into App Store preferences with any password

It isn't a huge security concern, but this is the second login bug found in Apple's High Sierra operating system.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
See full bio
Laura Hautala
2 min read
A MacBook on a table with the High Sierra operating system running, and the slogan, "Your Mac. Elevated." displayed on the screen. Macs running the most recent version of High Sierra have another login issue. But it's not as bad as the last one.

Macs running the most recent version of High Sierra have another login issue. But it's not as bad as the last one.

 CNET

Your Mac has another bug that lets people log in without your password. But unlike the last time this happened, it only leaves your computer exposed to a bit of mischief.

That proviso won't stop the bug from raising concerns about the overall quality of Apple's software. But it means the flaw doesn't hand anyone the keys to the kingdom.

Let's compare. In November, users found anyone could log into a Mac with just the user name "root" and no password whatsoever. That's a serious flaw that undercut the most basic line of security protecting the content of your computer from thieves, or even prying friends, family or co-workers. On Monday, a report surfaced that someone could log into your App Store preferences with any entry into the password field.

A screenshot of the login field for the App Store preferences on a Mac. Any password will do to long into the App Store preferences on a Mac running High Sierra 10.13.2.

Any password will do to long into the App Store preferences on a Mac running High Sierra 10.13.2.

 CNET

Apple didn't immediately respond to a request for comment. The issue only comes up when a Mac user is logged in with administrative privileges. For local users, no password is required to change App Store preferences.

CNET confirmed the bug by slapping random keys into the App Store preferences password field on a Mac running the most recent High Sierra operating system (10.13.2). Boom, we were logged in.

But what was next? Now CNET could take full control of, well, the computer's App Store preferences. Not exactly the kind of all encompassing power one might expect from bypassing a password. What's more, the computer itself wasn't locked when CNET struck -- just the App Store preferences.

To make this very clear: to take advantage of this flaw, an attacker would have to wait for an unsuspecting Mac user to walk away from their computer without logging out. Then this malicious person would need to rush up to the computer, open up the App Store preferences, and enter any old combination of keystrokes to log in and make changes. Finally, the saboteur could do something as dastardly as getting your computer to stop automatically checking for software updates.

CNET checked on a Mac running the next version of High Sierra (10.13.3), which hasn't been released to the general public yet, and found that the issue is no longer present.

CNET's Stephen Shankland contributed to this report. 

Virtual reality 101: CNET tells you everything you need to know about VR.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

Computing Guides

Laptops
Desktops & Monitors
Computer Accessories
Photography
Tablets & E-Readers
3D Printers
Computing Coupons