Mac exploit lets you change App Store preferences with any password

Adjust Comment Print

It allows any user to change preferences in the AppStore without needing the original password in minutes, according to a bug report on Open Radar, a website used by Apple developers.

Fortune successfully tested the bypass on a 2012 Macbook Pro running the latest version of macOS High Sierra.

Thus far, it doesn't not appear that the password bug in the App Store is present anywhere else within macOS 10.13 High Sierra.

To check if you're affected by this bug, open system preferences on your Mac, click on App Store, then if the padlock on the window is unlocked, click on it to lock it. This should unlock the App Store preference for you.

The bug is nowhere near as unsafe as the root-access security flaw that was uncovered past year, whereby attackers could gain root access to MacOS computers by typing "root" in the username field and leaving the password field blank.

Enter your user name and any password.

Fusion GPS founder testified Trump associate went to Federal Bureau of Investigation over Russian Federation concerns
The testimony was not classified, so there was nothing stopping her from doing what the Republican chair of the committee, Sen. In fact, Steele was so shocked by what he learned from his sources that he felt obliged to report it to the FBI, Simpson says.

"We greatly regret this error and we apologise to all Mac users, both for releasing with this vulnerability and for the concern it has caused".

What you can do is alter the way that app and operating system updates are checked and installed. You do need to login as an administrator, which is supposed to unlock preferences, but you're allowed to use any password you like if the preference is locked and you need to get access again.

In order to reproduce the bug, a user can start by logging in as an admin.

Apple pledged to review its software development process in early December 2017, after a researcher discovered a bug that could give hackers total control of vulnerable machines. Our customers deserve better. Macrumors states that it can not reproduce the error on the beta versions of macOS 10.13.3, suggesting it'll be fixed in an upcoming release.

Numerous settings within the App Store System Preferences window are also protected behind your Apple ID password and can't be changed using this method, but a nefarious user with physical access to your Mac could toggle the options that fall under the automatic update section.

Comments