Monday, 12 November 2018
Latest news
Main » Security Bug Allows Settings Changes Without Password

Security Bug Allows Settings Changes Without Password

12 January 2018

Users have discovered that it's possible to change Mac App Store preferences in macOS High Sierra using any password.

Experts say it is limited to the App Store and presents a relatively limited security risk.

Using this preference pane, users can choose to enable or disable automatic downloads and installation of OS security updates among other things.

More news: Jack White Releases Two New Songs

Coming soon after a previous "root user" password flaw discovered in December, as well as the Meltdown and Spectre chip flaws, the timing is likely to shake consumer confidence, however.

Past year some of you might recall that Apple's macOS High Sierra had a security flaw/bug which allowed users to gain admin access without the need for a password.

Enter any bogus password you like and the system will grant you access.

More news: Turkey warns its citizens against travelling in US

Perhaps the strangest and most troubling part of the bug is the fact that it does prompt the user to login as is typically required any time settings are changed within the operating system-but it doesn't matter if the user actually enters the password. If it is unlocked, lock it and then try unlocking it using your username and any password. Apple later fixed the issue with a security update.

The discovery no doubt brings back memories of the infamous bug that allowed anyone with root access to a device to log in with the least of a hindrance. Our customers deserve better.

The issue has been fixed in the High Sierra 10.13.3 beta, but in the meantime you'll want to make sure that you don't leave yourself logged into an administrator account when the computer is unattended, and also, ensure that any users whom you don't trust are on a standard account rather than an admin account. Maybe Apple already got aware of the loophole and applied the fix. "We are auditing our development processes to help prevent this from happening again", the company said in a statement to UberGizmo.

More news: Amazon says more than 5 billion items shipped in 2017 via Prime

We should note that these settings are unlocked by default on administrator accounts, as they aren't especially sensitive.

Security Bug Allows Settings Changes Without Password