Slashdot Mirror

← Back to Stories (view on slashdot.org)

macOS High Sierra's App Store System Preferences Can Be Unlocked With Any Password (macrumors.com)

Posted by msmash on from the state-of-the-art-tech dept.

A bug report submitted on Open Radar this week reveals a security vulnerability in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password. From a report: MacRumors is able to reproduce the issue on macOS High Sierra version 10.13.2, the latest public release of the operating system, on an administrator-level account by following these steps: 1. Click on System Preferences. 2. Click on App Store. 3. Click on the padlock icon to lock it if necessary. 4. Click on the padlock icon again. 5. Enter your username and any password. 6. Click Unlock.

As mentioned in the radar, System Preferences does not accept an incorrect password with a non-administrator account. We also weren't able to unlock any other System Preferences menus with an incorrect password. We're unable to reproduce the issue on the third or fourth betas of macOS High Sierra 10.13.3, suggesting Apple has fixed the security vulnerability in the upcoming release. However, the update currently remains in testing.

58 comments

  1. So I have to have root level access... by Drakonblayde · · Score: 2, Funny

    in order to exploit this. Yeah, not really seeing the big deal.

    1. Re:So I have to have root level access... by msauve · · Score: 1

      If a password weren't considered important for an admin level user, they simply wouldn't ask for one. Would you consider a sudoer being able to issue privileged commands without doing sudo to be "not a big deal?"

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    2. Re:So I have to have root level access... by Anonymous Coward · · Score: 0

      wat

    3. Re:So I have to have root level access... by Anonymous Coward · · Score: 1

      There is no sudo on any of my boxen. Play with matches on your own HW.

    4. Re:So I have to have root level access... by sexconker · · Score: 3, Insightful

      So when you need to execute a command with root privileges, what do you do?

      A) Not execute the command.
      B) Use something functionally equivalent to sudo, making your comment absolutely pointless.
      C) Login as root, like a moron.

    5. Re:So I have to have root level access... by viperidaenz · · Score: 2

      It's not the first time they've fucked up authentication recently, so you can be sure it's not the last.

    6. Re:So I have to have root level access... by Anonymous Coward · · Score: 0

      So I have to have root level access... in order to exploit this. Yeah, not really seeing the big deal.

      It's a big deal because granting root access to a user is a different thing than granting that same user to your encrypted password database that keeps your apple store account information saved in it.

      You may not want your other administrators to have the ability to charge your credit card when installing software.
      That is why the store account has completely different credentials than your local accounts.

      The reason it's a big deal is that the encrypted password database storing the login credentials to your store account is supposed to be, you know, encrypted, with your user accounts password.
      But if that was actually the case, a bad password to access the store would fail to decrypt those credentials and not be able to sign in as you.

      So not only is the additional store app protections broken, but the credentials are clearly not encrypted with your user account password, since any password given will grant other users access to it.

      What else is supposed to be encrypted on the system but actually isn't?

    7. Re:So I have to have root level access... by geekmux · · Score: 1

      If a password weren't considered important for an admin level user, they simply wouldn't ask for one.

      Chances are the authentication GUI prompt is more meant to prevent nefarious processes from automatically executing when an admin is logged in (similar to seeing UAC prompts on Windows, even when running as local admin), which that CAPTCHA-esque interrupt is still important. This merely discovered that when logged in as an administrator, the authentication input is irrelevant.

      Would you consider a sudoer being able to issue privileged commands without doing sudo to be "not a big deal?"

      A sudoer is not really a proper analogy, as that is a normal account you've granted rights to perform escalation. This feature (now with an identified bug) is more akin to being logged in as root and being blocked from running a high-level process until some level of additional end-user input is performed.

    8. Re:So I have to have root level access... by msauve · · Score: 1

      "Chances are the authentication GUI prompt is more meant to prevent nefarious processes"

      I disagree with that as a limit. It's to remind the user that they're about to make a change which may have significant impact (the bug doesn't change that). It requires that a non-admin user get an admin to approve changes (but apparently doesn't change that). It prevents "drive-bys", where someone steps away without locking their PC and a walk up ne'er-do-well tries to make system changes.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    9. Re:So I have to have root level access... by omnichad · · Score: 2

      That's not what's on the App Store preference pane. It's whether automatic updates are enabled and how long after a app recent purchase before requiring a password again.

      By default, this whole pane is unlocked and there's not much reason that most people would go in and lock this pane.

    10. Re:So I have to have root level access... by demonlapin · · Score: 2

      He's a social justice warrior for log cabin nazism.

      See, stuff like this is why I still come here, long after the site has ceased to have much relevance. The trolls are a bit one-note, but they do still have some style.

    11. Re:So I have to have root level access... by F.Ultra · · Score: 1

      He yells upstairs for his mom of course.

    12. Re:So I have to have root level access... by Anonymous Coward · · Score: 0

      They are not fuck ups they are features.

    13. Re:So I have to have root level access... by Anonymous Coward · · Score: 0

      C) Login as root, like a moron.

      Maybe I'm missing something from your comment, but what's the problem of logging in as root? I mean, to run the bunch of commands I need, not to run VLC and Firefox.
      Should I:
      sudo apt-get update
      sudo apt-get upgrade
      sudo apt-get dist-upgrade
      sudo ./install.sh something
      sudo rm -rf some/directory

      Or should I just:
      su -
      apt-get ...

      What am I getting of extra-security in the first scenario by typing sudo all the time? Have you nothing better to do with your time than to type sudo all day long (I work professionally as a sysadmin)...

    14. Re:So I have to have root level access... by Anonymous Coward · · Score: 0

      Except you can get passwordless root using last week's apple vulnerability. You think everyone has actually updated since then?

    15. Re:So I have to have root level access... by Anonymous Coward · · Score: 0

      I think in this case "su" is equivalent to "sudo", as in both are setuid-root binaries. A non-equivalent would be to actually login as root, which wouldn't necessarily be setuid-root. (Then again, I'd actually want to get rid of setuid-root binaries by implementing them in some nice way via UNIX sockets. Both su and sudo should be possible to be implemented that way.)

  2. Apple Quality by Anonymous Coward · · Score: 1

    Brought to you Time Cook, the replacement for Steve Jobs.

    1. Re: Apple Quality by Anonymous Coward · · Score: 0

      This is a fantastic typo and I can't quite tell if it was intentional or not...

  3. Admin? by Anonymous Coward · · Score: 0

    So an admin account can bypass a password-locked system setting? Is this even an issue?

    1. Re:Admin? by fireman+sam · · Score: 2

      This issue could be that you (the rightful admin level user) walks away from your computer to get another coffee and forget to lock it. While you're brewing, Mr Evil enters the scene and can unlock the App Store preferences panel without knowing your password.

      Now I had a look at what is in this panel, there's not much that can be changed in there. The most "harmful" setting may be to save the store password for 15 minutes for purchasing apps.

      Some other truly evil things that can be done in there is to change the checking of updates (Ooohhhh) - perhaps setting the "Automatically download apps purchased on other Macs" could be considered a DOS attack as it wouldn't take long to fill up the internal SSD with crap that you had downloaded over the years.

      Anyway, it is bad that they have a password box that doesn't give a shit about what password you entered, but in this case not much damage can be done.

      --
      it is only after a long journey that you know the strength of the horse.
    2. Re:Admin? by sexconker · · Score: 1

      Meh, Windows puts UAC a mere click away.

      You can't fix stupid. People will walk away without locking their machines, and they will bitch when you force their machines to lock after 10 minutes of inactivity.

      If you want a car analogy, walking away from your PC and leaving it unlocked is like leaving your car running, with the door open, while you go to get a cup of coffee in the gas station mini mart. And when your car gets stolen and the thief uses it in the commission of another crime you'll be held responsible to some degree.

    3. Re:Admin? by Anonymous Coward · · Score: 0

      It's more a matter of the fact that they ask for a password and then don't care what that password is, it isn't at all validated. If you're not going to check the password then why are you asking for one? Moreover is this the only place this happens?

    4. Re:Admin? by tbuddy · · Score: 1

      What are they going to do from there? Buy apps assuming they know your AppleID? Update your computer to the next patch which will probably fix the issue?

    5. Re:Admin? by Anonymous Coward · · Score: 0

      Plus, it is unlocked by default. Frankly, it wouldn't have occurred to me to even click on System Preferences for the App Store, but for this article. I don't have preferences for this kind of crap.

      Still lame that the feature, such as it is, is broken.

  4. Wasn't tested by Anonymous Coward · · Score: 0

    Didn't work.

    Film at 11.

  5. You're holding the App Store wrong by Anonymous Coward · · Score: 0, Troll

    It's not a bug.

  6. Scary because... by 110010001000 · · Score: 4, Insightful

    ...there seems to be a different auth code path for different padlock unlock/lock actions. Oh brother. So the bug isn't a big deal, but the symptom is troubling.

    1. Re:Scary because... by Anonymous Coward · · Score: 0

      No kidding. I realize people call programmers "code monkeys" but in apples case it looks like that have taken that literally. Maybe they should hire some QA monkeys.

    2. Re:Scary because... by Trailer+Trash · · Score: 1

      Not really as bad as you think. Some functions in the system control panel can be accessed by normal users. That includes the app store. I think the issue is that once you're there it might let you do things that you shouldn't be able to do.

      --
      Do you have ESP?
    3. Re:Scary because... by Anonymous Coward · · Score: 1

      Oh brother. So the bug isn't a big deal, but the symptom is troubling.

      What is troubling is how this passes even the most basic QA .... does password prompt accept valid password? Yes ... does password prompt accept invalid password? Yes. It's literally the second (if not the first) test case you would apply.

      I've yet to meet a single tester who wouldn't do that. I've know people who were annoying/awesome software testers ... because they immediately went straight to the "hey, what if I do random shit" level of testing.

      I've lost count of the number of developers I've seen red-faced saying "why would you even do that?", to which the answer is "if I did, some user will, and you asked me to test". In fact, some of those same devs would over and over fail the obvious tests of giving wrong input because they couldn't conceive that users would do so -- either on purpose or by accident. I've seen some who consistently ignored the obvious failure modes again and again, which is why you test in the first place.

      This positively smacks of someone who tested the expected path and ignored the exceptions. If your password prompt takes any password given to it, it's useless.

  7. Apple - It just works by Anonymous Coward · · Score: 0

    n/t

  8. Meh. by kelemvor4 · · Score: 0

    Obviously this isn't a problem for folks who care about computer security as it only impacts OSX.

    1. Re:Meh. by Anonymous Coward · · Score: 2, Interesting

      Yeah right.

      Someone’s never been to a computer security conference...

    2. Re: Meh. by Anonymous Coward · · Score: 0

      Cut him some slack, the poor guy hasn't even left his moms basement yet.

    3. Re:Meh. by Anonymous Coward · · Score: 0

      Maybe someone from apple should attend one of these conferences; seems like there is lots of room for improvement in their security.

  9. Apple is sloppy these days by Anonymous Coward · · Score: 0

    Not sure what is going on, but Apple has gotten sloppy in the last few years. Not so much specifics to this but in general Apple doesn't seem to interested in perfection these days, not even trying anymore.

    1. Re:Apple is sloppy these days by Anonymous Coward · · Score: 0

      What is going on is Tim F. Crook push to release on a fixed schedule and not when it is actually done. Jobs would never release something if it was not done. Time F. Crook just ships on schedule regardless of completion

  10. This is getting ridiculous by joh · · Score: 4, Interesting

    OK, this has somewhat limited potential, but still... what are they doing at Apple? Such things just should not happen. It's almost as if they're developing macOS as a hobby project, and there are hobby projects that do not have such glaring bugs.

    1. Re: This is getting ridiculous by Anonymous Coward · · Score: 1

      Apple is no longer a computer company. They are all in on the phone and mobile computing. So anything Mac related (ex: macOS, mbp) etc are second rate projects in apples eyes. They make most of their money from slanging phones.

    2. Re:This is getting ridiculous by bill_mcgonigle · · Score: 2

      MacOS is being kept on life support only until an iPhone can reasonably replace one with a wireless KVM. "Mac Mode" has been Steve's dream for more than a decade.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    3. Re:This is getting ridiculous by Anonymous Coward · · Score: 0

      Tim Cook has made it clear that merit is not a primary hiring concern.

  11. Apple is sloppy by HannethCom · · Score: 1

    There, fixed the subject for you.
    Since March 2001, when OSX was first released, Apple has been lazy about all of OSX security. The biggest culprit usually being extremely slow in updating 3rd party libraries included in the core OS, even when the version of the libraries they are using have known major security problems.
    Before 2001, security wasn't even on a lot of people's radar, so before that I'm pretty sure they were lazy about it too.
    They aren't just lazy in security either, just look at their UI. Until recently many of their programs the interface was completely different between their applications. There was not much consistency. This may explain why study after study keeps showing that Apple have the worse user interfaces.
    I think the iPod and the stupid wheel is an extremely good example of this. My uncle got my grandmother an iPod. She never was able to remember how to use it. My aunt got her a Zen, and she never had troubles using that.

    --
    Microsoft, Apple, Google, Amazon what's the difference? All steal money from devs and control with walled gardens.
  12. ~Re:So I have to have root level access... by Anonymous Coward · · Score: 1

    sudo is for people who don't know what they do i.e. noobs

    1. Re: ~Re:So I have to have root level access... by Anonymous Coward · · Score: 0

      I think sudo is necessary to run dangerous commands safely.

      Since sudo itself is dangerous, I always run it with sudo, especially if I'm planning to reconfigure sudo.

      sudo sudo visudo

    2. Re: ~Re:So I have to have root level access... by Anonymous Coward · · Score: 0

      > sudo sudo visudo

      phil@collins:~# su sussudio

  13. What's next.... by ELCouz · · Score: 1

    ....gaining root access without a password?

    1. Re:What's next.... by F.Ultra · · Score: 2

      Just wait for Amazon to patent the "one click login"

    2. Re:What's next.... by Anonymous Coward · · Score: 0

      No. Access to the App Store. WooHoo! You're in! That GUI interface using Visual Basic really worked! Go nuts! Just don't try to buy anything or download any software, you're password will need to work.

    3. Re:What's next.... by Anonymous Coward · · Score: 0

      They could not because of the rounded corners on the button.

  14. Closed source by Anonymous Coward · · Score: 0

    This just goes to show closed source software just cannot complete with open source software. macOS will never take off like professional operating systems such as Linux with bugs like these lurking in the code. /s

    1. Re:Closed source by SurenEnfiajyan · · Score: 0

      https://news.slashdot.org/stor...

  15. Thanks! by hcs_$reboot · · Score: 1

    Forgot my password!

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  16. Agreed. It's almost as if the 'High' in Sierra... by Immerial · · Score: 1

    ...describes the state of the programmers when they made this version. ;) ba dum tsh