Apple MacOS Has ‘Another’ Password Flaw

Apple security is once again in the spotlight after a researcher found another embarrassing password vulnerability in MacOS High Sierra.

The researcher Eric Holtam found a vulnerable dialogue box in the System Preferences panel for the App Store settings, that lets someone bypass part of the operating system’s password protections.

This is not the first time that the password security of MacOS has been found wanting, as Apple’s security credentials have been hurt by a series of damaging revelations in recent months.

AppStore Preferences

Eric Holtam reported the bug to the Open Radar bug tracker webpage, and it concerns MacOS High Sierra (version 10.13).

“The AppStore Preferences in System Preferences can be unlocked by a local admin with any bogus password,” warned Holtam.

When a user is logged in as a system admin, the user can get around the password requirement when making changes in the App Store settings panel.

Essentially, the user can open the App Store Prefpane from the System Preferences, and click on the padlock to make changes.

A password prompt then pops up, but the user is able to type in any string of text, and the “password” is accepted, unlocking the preferences panel.

This means the user is granted access to change the AppStore preferences.

Holtam admitted on Twitter that this flaw is a lot less serious than some of the other vulnerabilities that have been found concerning MacOS.

“This needs admin access to the machine already and only affects the AppStore prefs,” he tweeted. “All other system prefs do not unlock this way. Likely an oversight in the security changes in 10.13.x.”

Loading ...

Quality Control

However, the flaw does raise questions about Apple’s quality control processes, after a number of vulnerabilities have been disclosed with MacOS recently.

In late November for example, a root flaw came to light that anyone running an Apple Mac with version 10.13. and 10.13.1 of its latest operating system (i.e High Sierra), could be exposed to a serious flaw with admin privileges.

Essentially, the flaw could have allowed admin access to Apple Macs by using the username ‘root’ and no password, which bypasses (in some cases remotely) local security settings.

Apple compounded the problem when it rushed out a patch within 18 hours of the flaw being reported. But it was found that the fix did not actually fix the problem, as the bug returns if Mac owners upgrade to the latest version of High Sierra after they have applied the patch.

Meanwhile last October a flaw was discovered that could have allowed anyone to gain access to encrypted hard disk volumes. That issue meant that when a user requested a password hint for certain encrypted volumes the operating system instead displayed the entire password.

Do you know all about security in 2017? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Amazon Prime, Ring Services In US Impacted By AWS Outage

Big name services from Amazon including Prime Video, Ring doorbells and even the Amazon e-commerce…

12 hours ago

Meta Sued For $150 Billion By Rohingya Refugees

Meta sued for billions of dollars for not allegedly removing anti-Rohingya hate speech during 2017…

15 hours ago

Intel To List Self-driving Car unit Mobileye

Public offering planned for Intel's self-driving-car unit Mobileye next year, but Intel says it will…

16 hours ago

Virgin Media O2 Completes Gigabit Network Upgrade

Ultrafast broadband. 15.5 million homes can now access speeds of 1.1Gbps, after Virgin Media O2…

17 hours ago

Craig Wright Wins US Case Over Bitcoin Inventor Claim

Computer scientist who claims to be Satoshi Nakamoto, wins US court case against former partner,…

19 hours ago

300 Spar Stores Impacted After Cyberattack On Supplier

Family run firm in Preston, Lancashire suffers cyberattack, which impacts tills and IT systems for…

20 hours ago