MacOS Lets You Change Other People's App Store Settings

MacOS Lets You Change Other People's App Store Settings

Yolanda Curtis
January 12, 2018

Fortunately, Apple has confirmed that macOS High Sierra 10.13.3-which is in beta now-corrects the issue (via Macworld). This, when it is the system password that should have been the only key granting access to the privileged section.

'Security is a top priority for every Apple product, and regrettably we stumbled with this release of Mac OS, ' Apple said in its statement. Flipping those settings could be used in conjunction with another attack to ensure a system wasn't patched to close a security hole, though local access or at least administrator access from a remote location are required. Users will simply need to log in as local admin, lock the padlock icon, and unlock it anew using a username and a random password. The bug only works when you're logged into an administrative account, but it's another example of how Apple seems to have dropped the ball on setting user policies and permissions properly. In a series of Twitter messages on January 10 directed at multiple media outlets, Holtman emphasized that the issue is not critical.

The bug comes hot on the heels of a previous'root user password flaw discovered in December. Apple has reportedly already fixed the latest bug in beta versions of the next macOS High Sierra update which will be rolled out to the public in the coming

The one catch, though, is that the system needs to be logged into by an admin user for this trick to work.

In November, Apple had to patch a vulnerability that allowed access to the root superuser account with a blank password. "Likely an oversight in the security changes in 10.13.x". Found in version 10.13.2 of macOS High Sierra, this flaw allows someone to change your password requirement settings for purchases, automatic update download options.

Apple is aware of the vulnerability and has issued an apology. With CVE-2017-13872, Apple warned that an attacker could bypass administrator authentication without supplying the administrator's password.

What is worrisome though is that these issues exist in the first place and keep popping up.

The "embarrassing" loophole in MacOS High Sierra lets anyone with access to your machine bypass your password. Considering the critical role that passwords continue to play in modern IT security, though, having an oversight in password technologies isn't particularly reassuring.

Other reports by iNewsToday