Apple MacOS Has ‘Another’ Password Flaw

Apple security is once again in the spotlight after a researcher found another embarrassing password vulnerability in MacOS High Sierra.

The researcher Eric Holtam found a vulnerable dialogue box in the System Preferences panel for the App Store settings, that lets someone bypass part of the operating system’s password protections.

This is not the first time that the password security of MacOS has been found wanting, as Apple’s security credentials have been hurt by a series of damaging revelations in recent months.

AppStore Preferences

Eric Holtam reported the bug to the Open Radar bug tracker webpage, and it concerns MacOS High Sierra (version 10.13).

“The AppStore Preferences in System Preferences can be unlocked by a local admin with any bogus password,” warned Holtam.

When a user is logged in as a system admin, the user can get around the password requirement when making changes in the App Store settings panel.

Essentially, the user can open the App Store Prefpane from the System Preferences, and click on the padlock to make changes.

A password prompt then pops up, but the user is able to type in any string of text, and the “password” is accepted, unlocking the preferences panel.

This means the user is granted access to change the AppStore preferences.

Holtam admitted on Twitter that this flaw is a lot less serious than some of the other vulnerabilities that have been found concerning MacOS.

“This needs admin access to the machine already and only affects the AppStore prefs,” he tweeted. “All other system prefs do not unlock this way. Likely an oversight in the security changes in 10.13.x.”

Quality Control

However, the flaw does raise questions about Apple’s quality control processes, after a number of vulnerabilities have been disclosed with MacOS recently.

In late November for example, a root flaw came to light that anyone running an Apple Mac with version 10.13. and 10.13.1 of its latest operating system (i.e High Sierra), could be exposed to a serious flaw with admin privileges.

Essentially, the flaw could have allowed admin access to Apple Macs by using the username ‘root’ and no password, which bypasses (in some cases remotely) local security settings.

Apple compounded the problem when it rushed out a patch within 18 hours of the flaw being reported. But it was found that the fix did not actually fix the problem, as the bug returns if Mac owners upgrade to the latest version of High Sierra after they have applied the patch.

Meanwhile last October a flaw was discovered that could have allowed anyone to gain access to encrypted hard disk volumes. That issue meant that when a user requested a password hint for certain encrypted volumes the operating system instead displayed the entire password.

Do you know all about security in 2017? Try our quiz!