New macOS High Sierra Password Flaw Discovered

Share

However, the report notes that the particular login attempt also accepts incorrect login credentials, provided that the user is logged in as the local admin. Flipping those settings could be used in conjunction with another attack to ensure a system wasn't patched to close a security hole, though local access or at least administrator access from a remote location are required.

First, an attacker would need to have physical access to the device itself and either have the administrator's password (which would allow them to make changes to the system even if the login requirement worked properly) or gain access while an administrator is already logged in. This should unlock the App Store preference for you.

With I Am Root still fresh in the memories of users and the recent hoopla over Meltdown and Spectre not yet died-down, this comes at a particularly unwelcome time.

The bug is nowhere near as unsafe as the root-access security flaw that was uncovered a year ago, whereby attackers could gain root access to MacOS computers by typing "root" in the username field and leaving the password field blank.

'But, still, this is embarrassing given what we just went through with the very serious root-access-with-no-password bug'. According to Mac Rumors, this bug is also not available in the third and fourth betas of macOS High Sierra version 10.13.3.

More news: Jack White Releases 'Connected By Love' Video, Streams 2nd New Song
More news: Massive Winter Storm Is Causing Severe Blood Shortages, Red Cross Says
More news: New Switch ports and video games announced in Nintendo Direct

The good news is that this bug appears to be limited to the App Store preference page as the padlock does not unlock other sections within System Preferences, so user accounts and other settings can't be changed. Enter any username and password you want and press Unlock and the App Store system preferences will become unlocked. If you're on macOS High Sierra 10.13.2, any password will unlock the preferences. Maybe Apple already got aware of the loophole and applied the fix.

If the padlock icon is locked, users can unlock it by entering their Apple login credentials. Our customers deserve better. "We are auditing our development processes to help prevent this from happening again". As for the bug itself, here is how users can recreate the scenario.

'Security is a top priority for every Apple product, and regrettably we stumbled with this release of Mac OS, ' Apple said in its statement.

Root accounts give users complete control over a machine.

Share