March 18, 2018

Another password flaw has been discovered in Apple's MacOS

12 January 2018, 06:08 | Dale Webster

macOS App Store Preferences Open With Any Password

MacOS 10.13 High Sierra Update: Security Bug Allows Settings Changes Without Password

As has been revealed, the bug affects macOS, version 10.13.2 but can't be reproduced with version 10.13.3. The folks at MacRumors report they were able to successfully bypass the real password by following the above steps on an administrative account, but were not able to trick any other System Preferences login prompts with a bogus password.

While those settings leave limited options for malicious activity, a threat actor could set up additional attacks by preventing the machine from automatically downloading and installing necessary updates, including those that patch security flaws.

According to the bug report, users can simply open System Preferences, go to App Store settings and check the padlock icon. Users of macOS High Sierra 10.13.2 can unlock Setting Mac App Store (MAS) using any string of text for a password, allowing anyone to change your MAS settings.

Assuming the attacker would be able to gain such access, they would still only be able to change the user's preferences in the App Store.

The bug is nowhere near as unsafe as the root-access security flaw that was uncovered a year ago, whereby attackers could gain root access to MacOS computers by typing "root" in the username field and leaving the password field blank. Enter any username and password you want and press Unlock and the App Store system preferences will become unlocked. Apple later fixed the issue with a security update. That bug allowed users to log into a system by typing "root" for a login, then hitting enter for a login attempt several times in a row.

'We greatly regret this error and we apologize to all Mac users, ' Apple said in a statement at the time.

Thankfully, it seems that the bug has been patched in macOS 10.13.3, but that version is still in beta. Our customers deserve better. Macrumors states that it can not reproduce the error on the beta versions of macOS 10.13.3, suggesting it'll be fixed in an upcoming release. Maybe Apple already got aware of the loophole and applied the fix.

Other News

Trending Now

Lexington Realty Trust (LXP)
The market capitalization (Stock Price Multiply by Total Number of Outstanding Shares) for the company is reported at $2.24B. It worsened, as 55 investors sold ABBV shares while 640 reduced holdings. 56 funds opened positions while 167 raised stakes.

Samsung Galaxy S9 Retail Box Leaked
Samsung is expected to unveil its next flagship smartphone, the Galaxy S9 , next month in time for the Mobile World Congress . Thanks to the leaked retail box, we now know that the device will come with a 5.8-inch form factor and a 5.6-inch display.

Raptors' Serge Ibaka, Heat's James Johnson ejected after throwing punches
Despite the frustration, this and the game against Boston showed that the Nets can really hang with the best teams in the league. Overall, the Raptors' offence wasn't good, making only one three-point shot and shooting under 37% from the field.

'Sanctimonious': Oprah is 'part of the problem,' ignored Weinstein misconduct, says Seal
Someone from his team reached out to her to see if she would talk to him, and she said she would if it was for an interview. Weinstein has been accused of sexual misconduct by over 30 women since the New York Times' exposé came out last October.

Panthers finalizing deal with Norv Turner as OC
Rivera and Turner have a history together, so it's not surprising that Ron ultimately made a decision to give Norv the job. In the two years since his MVP campaign in 2015, Newton has thrown just 41 touchdowns while tossing 30 interceptions.

Dolly Everett farewelled by hundreds of mourners in Katherine
Dolly's death has sparked both sadness and outrage among many families, including those from rural and regional Australia. She was a victim of cyber bullying, her family revealed. "Dolly" Amy Jayne Everett was the former face of Akubra Hats.

Vivo Launches First In - Screen Fingerprint Scanner
For all the phone enthusiasts out there, the best and the most exciting news is that this technology exists, and it works. It is just a bit slower than what you might be used to from a traditional fingerprint scanner , but not much slower.

India's Infosys profits soar after TCS slide
We had 8 per cent year-on-year growth and 24.3 per cent operating margin with $593 million of free cash flow". Revenues are expected to grow 2.1%-3.1% in INR terms based on the exchange rates as of December 31, 2017.

James, Curry lead NBA All-Star voting
Coaches will then choose the reserves and the two top vote-getters from each conference get to pick their teammates from the pool. The fan vote makes up 50 percent of the overall vote for the All-Star Game, which is scheduled February 18 in Los Angeles.

Samsung's upcoming smartphones to feature unlocked FM chips
Founded in 2013, TagStation, LLC is headquartered in Indianapolis, IN with offices in Indianapolis and Chicago, IL. Apple , however, has declined to do so, saying the latest generation iPhones do not have the FM radio chips.