Slashdot Mirror

← Back to Stories (view on slashdot.org)

macOS High Sierra's App Store System Preferences Can Be Unlocked With Any Password (macrumors.com)

Posted by msmash on from the state-of-the-art-tech dept.

A bug report submitted on Open Radar this week reveals a security vulnerability in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password. From a report: MacRumors is able to reproduce the issue on macOS High Sierra version 10.13.2, the latest public release of the operating system, on an administrator-level account by following these steps: 1. Click on System Preferences. 2. Click on App Store. 3. Click on the padlock icon to lock it if necessary. 4. Click on the padlock icon again. 5. Enter your username and any password. 6. Click Unlock.

As mentioned in the radar, System Preferences does not accept an incorrect password with a non-administrator account. We also weren't able to unlock any other System Preferences menus with an incorrect password. We're unable to reproduce the issue on the third or fourth betas of macOS High Sierra 10.13.3, suggesting Apple has fixed the security vulnerability in the upcoming release. However, the update currently remains in testing.

27 of 58 comments (clear)

  1. So I have to have root level access... by Drakonblayde · · Score: 2, Funny

    in order to exploit this. Yeah, not really seeing the big deal.

    1. Re:So I have to have root level access... by msauve · · Score: 1

      If a password weren't considered important for an admin level user, they simply wouldn't ask for one. Would you consider a sudoer being able to issue privileged commands without doing sudo to be "not a big deal?"

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    2. Re:So I have to have root level access... by Anonymous Coward · · Score: 1

      There is no sudo on any of my boxen. Play with matches on your own HW.

    3. Re:So I have to have root level access... by sexconker · · Score: 3, Insightful

      So when you need to execute a command with root privileges, what do you do?

      A) Not execute the command.
      B) Use something functionally equivalent to sudo, making your comment absolutely pointless.
      C) Login as root, like a moron.

    4. Re:So I have to have root level access... by viperidaenz · · Score: 2

      It's not the first time they've fucked up authentication recently, so you can be sure it's not the last.

    5. Re:So I have to have root level access... by geekmux · · Score: 1

      If a password weren't considered important for an admin level user, they simply wouldn't ask for one.

      Chances are the authentication GUI prompt is more meant to prevent nefarious processes from automatically executing when an admin is logged in (similar to seeing UAC prompts on Windows, even when running as local admin), which that CAPTCHA-esque interrupt is still important. This merely discovered that when logged in as an administrator, the authentication input is irrelevant.

      Would you consider a sudoer being able to issue privileged commands without doing sudo to be "not a big deal?"

      A sudoer is not really a proper analogy, as that is a normal account you've granted rights to perform escalation. This feature (now with an identified bug) is more akin to being logged in as root and being blocked from running a high-level process until some level of additional end-user input is performed.

    6. Re:So I have to have root level access... by msauve · · Score: 1

      "Chances are the authentication GUI prompt is more meant to prevent nefarious processes"

      I disagree with that as a limit. It's to remind the user that they're about to make a change which may have significant impact (the bug doesn't change that). It requires that a non-admin user get an admin to approve changes (but apparently doesn't change that). It prevents "drive-bys", where someone steps away without locking their PC and a walk up ne'er-do-well tries to make system changes.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    7. Re:So I have to have root level access... by omnichad · · Score: 2

      That's not what's on the App Store preference pane. It's whether automatic updates are enabled and how long after a app recent purchase before requiring a password again.

      By default, this whole pane is unlocked and there's not much reason that most people would go in and lock this pane.

    8. Re:So I have to have root level access... by demonlapin · · Score: 2

      He's a social justice warrior for log cabin nazism.

      See, stuff like this is why I still come here, long after the site has ceased to have much relevance. The trolls are a bit one-note, but they do still have some style.

    9. Re:So I have to have root level access... by F.Ultra · · Score: 1

      He yells upstairs for his mom of course.

  2. Apple Quality by Anonymous Coward · · Score: 1

    Brought to you Time Cook, the replacement for Steve Jobs.

  3. Scary because... by 110010001000 · · Score: 4, Insightful

    ...there seems to be a different auth code path for different padlock unlock/lock actions. Oh brother. So the bug isn't a big deal, but the symptom is troubling.

    1. Re:Scary because... by Trailer+Trash · · Score: 1

      Not really as bad as you think. Some functions in the system control panel can be accessed by normal users. That includes the app store. I think the issue is that once you're there it might let you do things that you shouldn't be able to do.

      --
      Do you have ESP?
    2. Re:Scary because... by Anonymous Coward · · Score: 1

      Oh brother. So the bug isn't a big deal, but the symptom is troubling.

      What is troubling is how this passes even the most basic QA .... does password prompt accept valid password? Yes ... does password prompt accept invalid password? Yes. It's literally the second (if not the first) test case you would apply.

      I've yet to meet a single tester who wouldn't do that. I've know people who were annoying/awesome software testers ... because they immediately went straight to the "hey, what if I do random shit" level of testing.

      I've lost count of the number of developers I've seen red-faced saying "why would you even do that?", to which the answer is "if I did, some user will, and you asked me to test". In fact, some of those same devs would over and over fail the obvious tests of giving wrong input because they couldn't conceive that users would do so -- either on purpose or by accident. I've seen some who consistently ignored the obvious failure modes again and again, which is why you test in the first place.

      This positively smacks of someone who tested the expected path and ignored the exceptions. If your password prompt takes any password given to it, it's useless.

  4. Re:Meh. by Anonymous Coward · · Score: 2, Interesting

    Yeah right.

    Someone’s never been to a computer security conference...

  5. Re:Admin? by fireman+sam · · Score: 2

    This issue could be that you (the rightful admin level user) walks away from your computer to get another coffee and forget to lock it. While you're brewing, Mr Evil enters the scene and can unlock the App Store preferences panel without knowing your password.

    Now I had a look at what is in this panel, there's not much that can be changed in there. The most "harmful" setting may be to save the store password for 15 minutes for purchasing apps.

    Some other truly evil things that can be done in there is to change the checking of updates (Ooohhhh) - perhaps setting the "Automatically download apps purchased on other Macs" could be considered a DOS attack as it wouldn't take long to fill up the internal SSD with crap that you had downloaded over the years.

    Anyway, it is bad that they have a password box that doesn't give a shit about what password you entered, but in this case not much damage can be done.

    --
    it is only after a long journey that you know the strength of the horse.
  6. Re:Admin? by sexconker · · Score: 1

    Meh, Windows puts UAC a mere click away.

    You can't fix stupid. People will walk away without locking their machines, and they will bitch when you force their machines to lock after 10 minutes of inactivity.

    If you want a car analogy, walking away from your PC and leaving it unlocked is like leaving your car running, with the door open, while you go to get a cup of coffee in the gas station mini mart. And when your car gets stolen and the thief uses it in the commission of another crime you'll be held responsible to some degree.

  7. Re:Admin? by tbuddy · · Score: 1

    What are they going to do from there? Buy apps assuming they know your AppleID? Update your computer to the next patch which will probably fix the issue?

  8. This is getting ridiculous by joh · · Score: 4, Interesting

    OK, this has somewhat limited potential, but still... what are they doing at Apple? Such things just should not happen. It's almost as if they're developing macOS as a hobby project, and there are hobby projects that do not have such glaring bugs.

    1. Re: This is getting ridiculous by Anonymous Coward · · Score: 1

      Apple is no longer a computer company. They are all in on the phone and mobile computing. So anything Mac related (ex: macOS, mbp) etc are second rate projects in apples eyes. They make most of their money from slanging phones.

    2. Re:This is getting ridiculous by bill_mcgonigle · · Score: 2

      MacOS is being kept on life support only until an iPhone can reasonably replace one with a wireless KVM. "Mac Mode" has been Steve's dream for more than a decade.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  9. Apple is sloppy by HannethCom · · Score: 1

    There, fixed the subject for you.
    Since March 2001, when OSX was first released, Apple has been lazy about all of OSX security. The biggest culprit usually being extremely slow in updating 3rd party libraries included in the core OS, even when the version of the libraries they are using have known major security problems.
    Before 2001, security wasn't even on a lot of people's radar, so before that I'm pretty sure they were lazy about it too.
    They aren't just lazy in security either, just look at their UI. Until recently many of their programs the interface was completely different between their applications. There was not much consistency. This may explain why study after study keeps showing that Apple have the worse user interfaces.
    I think the iPod and the stupid wheel is an extremely good example of this. My uncle got my grandmother an iPod. She never was able to remember how to use it. My aunt got her a Zen, and she never had troubles using that.

    --
    Microsoft, Apple, Google, Amazon what's the difference? All steal money from devs and control with walled gardens.
  10. ~Re:So I have to have root level access... by Anonymous Coward · · Score: 1

    sudo is for people who don't know what they do i.e. noobs

  11. What's next.... by ELCouz · · Score: 1

    ....gaining root access without a password?

    1. Re:What's next.... by F.Ultra · · Score: 2

      Just wait for Amazon to patent the "one click login"

  12. Thanks! by hcs_$reboot · · Score: 1

    Forgot my password!

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  13. Agreed. It's almost as if the 'High' in Sierra... by Immerial · · Score: 1

    ...describes the state of the programmers when they made this version. ;) ba dum tsh