Stop us if you've heard this one: Apple's password protection in macOS can be thwarted
Developers (again) find preferences hole (again) that bypasses login box (again)
It just works. For anyone.
An Apple developer has uncovered another embarrassing vulnerability in macOS High Sierra, aka version 10.13, that lets someone bypass part of the operating system's password protections.
This time, a vulnerable dialog box was found in the System Preferences panel for the App Store settings. The bug, reported by developer Eric Holtam to the Open Radar bug tracker, has since been verified by Mac-toting netizens.
The bug allows a user logged in with admin rights (this is important to note) to get around the password requirement when making changes in the App Store settings panel. Open the App Store settings panel, click on the padlock to make changes, a password prompt pops up, type in any string of text, and the "password" is accepted, unlocking the preferences panel.
Aaron Lint, veep of research at infosec biz Arxan, claimed the trick can also be used to bypass the login requirements for some other settings panels as well, but not the important "Users and Groups" and "Security and Privacy" controls.
I can confirm that using the AppStore preferences bypass to unlock that dialog will cause all of the other pref panes to unlock as well, Network, Sharing, etc. pic.twitter.com/H8blnc2Gud— lintile (@lintile) January 10, 2018
While the bug disclosure brings up memories of last year's macOS I Am Root security flap, this latest find is far less serious – although a damning indictment of Apple's quality control.
Holtam said exploiting the bug requires the user to already be logged in with an account that has admin privileges, meaning the trick would only be useful if the owner of the account had stepped away from their machine. The App Store settings are also unlocked by default, meaning the password would only be requested if the user has clicked on the padlock icon to prevent settings being changed.
.@appleinsider Also this doesn't work if the current logged in user is a non-admin. This is only with a logged in admin user so the impact is minimized even further. Any logged in admin could unlock that setting anyway.— Eric Holtam (@eholtam) January 10, 2018
Additionally, the permissions granted by exploiting the bug are fairly limited, much more so than what was given by exploiting the root flaw.
Still, the discovery of another hole in the macOS security settings is likely to prove yet another pain in the collective rear end for Apple's engineers.
With I Am Root still fresh in the memories of users and the recent hoopla over Meltdown and Spectre not yet died-down, this comes at a particularly unwelcome time.
The bug, we gather, is fixed in the latest macOS 10.13 beta releases, and will be addressed in the next official release, too. ®