macOS App Store Preferences Open With Any Password

This is one of those security bugs that is dumb rather than dangerous. On macOS 10.13.2, the App Store preferences can be unlocked using any password. It’s not a massive security problem but points to a bigger issue.

A bug report at Open Radar describes the issue and how to reproduce it. Basically, if the preference pane for the App Store is locked, entering any password will unlock it.

The impact is small as it's only preferences for one application and, to get to it, you need to log into the operating system - and that password layer seems just fine.

But, what it indicates is a lack of testing when new releases are pushed out.

Given security is such a big deal, this is an embarrassing gaffe the company can ill afford at a time when security issues dominate the technology industry.

I suspect the list of items that get regression tested when Apple releases a new version of their software just got a little longer.


Comments

    This is sort of bad coming after the bug letting anyone log into a Mac with the username root and a blank password.

    MS isn't really a whole lot better, their 6 month rapid release schedule is missing stuff all the time too.

    From the link:
    "Summary:
    The AppStore Preferences in System Preferences can be unlocked by a local admin with any bogus password.
    Steps to Reproduce:
    1) Log in as a local admin
    2) Open App Store Prefpane from the System Preferences
    3) Lock the padlock if it is already unlocked
    4) Click the lock to unlock it
    5) Enter any bogus password"

    You need to log in as the local admin for this to work. If you have the local admin password to log in, you'd be able to get access to the padlocked content regardless of whether this bug was there or not.

    My system was so secure I had to first lock the App Store preference pane to check, but yep type any old garbage in and it unlocks.

    Not sure I'll loose any sleep over it...

Join the discussion!