Mac is no stranger to password troubles, especially after having a rough 2017. Now, a new exploit was recently discovered that allows malicious users to bypass App Store login prompts with any password. This effects preferences for administrator accounts on MacOS High Sierra 10.13.2. If you’re an administrator and keep preferences locked and someone wants access to them, any password will do. Mac Rumors has confirmed that this exploit doesn’t effect standard users, so any administrators on shared Macs will need to ensure they are logged out before leaving their Mac unattended. This exploit leaves computers vulnerable to someone with malicious intent who might turn off “check for automatic updates,” thus preventing the download of important patches for your system.
Mac Rumors was able to successfully recreate the exploit with the steps outlined here. Fortunately, more sensitive settings like Users & Groups and Security & Privacy are not effected by the bug. Apple is resolving the issue in High Sierra 10.13.3; however, that won’t be released until later in the month.
While this vulnerability isn’t as dangerous as Apple’s previous root password exploit, it’s rather shameful that they continue to have avoidable security issues. The tech giant has apologized and says they are auditing their development process to prevent further mishaps.
Hopefully Apple will finally put their password woes to an end but given their recent track record I’m not particularly optimistic.
