Users are now reporting a new MacOS High Sierra bug, less than three months since the last security flaw has been discovered. The newly found bug allows users to unlock the App Store preferences menu using a random password.
Apple’s MacOS High Sierra is in hot water once again after users discovered yet another security flaw. While not as serious as the one discovered a couple of months back, the bug can have some potentially harmful implications for users nevertheless. A new bug report on Open Radar indicates that the flaw is once again password related and allows users to unlock the App Store preferences menu with any old password. Whether it’s an actual password used a while back or just some random gibberish, users are reportedly able to go to System Preferences and unlock the App Store.
Needless to say, under normal circumstances the authorization would fail if the password is not correct and users would not be able to unlock the App Store. Because of the newly discovered security flaw in the current version of MacOS High Sierra, however, the authorization succeeds upon typing any made up password. It’s worth mentioning that the user does need be logged in as the local admin in order for this to work. It has been confirmed that the bug does not trigger when a standard user tries to unlock the menu using a random password.
The flaw isn’t as serious as some of the others we’ve seen in the past, but it does have the potential to cause some issues either way. For example, a hacker could use this vulnerability to disable automatic updates and look for opportunities to further exploit a vulnerable device. Luckily, Apple is well aware of the flaw and has already fixed it the beta version of MacOS High Sierra 10.13.3. That said, this version is only scheduled to launch later this month so it looks like users will have to pay very close attention to their devices until then.
This new security flaw comes less than two months after MacOS High Sierra was discovered to have another, even more serious vulnerability. Back in late November, it was reported that users have been able to exploit a bug that allowed anyone to gain admin access to a device by using a very simple trick. Instead of typing in the regular username and password when prompted, it was enough to type “root” into the username field and leave the password field empty. This apparently worked even on locked devices.
This particular issue was later fixed by Apple, however, the company lost a lot of credibility in the eyes of some people as that was a pretty major flaw that shouldn’t have made it into the public build. The newly discovered flaw isn’t nearly as serious as the last one but it may be a sign that Apple isn’t paying as much attention to MacOS as it once did.