A bug has been discovered in macOS 10.13.2 that allows you to unlock the App Store system preferences using any username and password as long as you are logged in as a local admin. This means that if your account is an admin and you leave the computer unattended, anyone can change the App Store settings on the Mac without your knowledge.
While this is not as serious as the recent bug that allowed you to gain macOS root access by entering no password repeatedly, it does show that there are some serious code auditing issues in macOS regarding how passwords can be used. This is twice now in as little as three months that the password field was able to be used in macOS to gain extra privileges.
As shown in the video above, using this bug is really simple. Just open up the App Store system preferences and if the little padlock icon is locked, click on it. macOS will then prompt you for a username and password. Enter any username and password you want and press Unlock and the App Store system preferences will become unlocked. This allows you to change settings such as what updates to install, whether to install security updates, and more.
I personally tested this bug in macOS 10.13.1 and it would not work. According to Mac Rumors, this bug is also not available in the third and fourth betas of macOS High Sierra version 10.13.3. So it appears to be only in 10.13.2 and possibly the earlier betas of 10.13.3.
For now, either do not use a local admin account or make sure to lock your mac when it is not being used.
Comments
Umidigy - 6 years ago
I tried this on my mac and it worked. 10.13.2
MABER - 6 years ago
Still not patched just tried 01/15/18