MacOS High Sierra's App Store System Preferences Can Be Unlocked With Any Password

Oliver Nelson
Oliver Nelson

macOS High Sierra's App Store System Preferences Can Be Unlocked With Any Password

A bug report submitted on Open Radar this week has revealed a security flaw in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password.

https://openradar.appspot.com/36350507

Summary: The AppStore Preferences in System Preferences can be unlocked by a local admin with any bogus password.

Steps to Reproduce:
1) Log in as a local admin
2) Open App Store Prefpane from the System Preferences
3) Lock the padlock if it is already unlocked
4) Click the lock to unlock it
5) Enter any bogus password

Expected Results: The authorization to fail.
Actual Results: Authorization succeeds and grants access to change the AppStore preferences.

All urls found in this thread:
https://openradar.appspot.com/36350507
https://support.apple.com/en-ca/HT208394
https://apple.stackexchange.com/questions/312294
https://www.reddit.com/r/apple/comments/7qf4or/yet_another_security_bug_macos_high_sierra/
https://www.imore.com/iphone-crashing-dec-2-heres-fix
Brayden Myers
Brayden Myers

Is this supposed to be a feature?

Luis Scott
Luis Scott

Who cares? No macos users here.

Jordan Long
Jordan Long

the login just werks man, it's a feature

Xavier Powell
Xavier Powell

Steps to Reproduce:
1) Log in as a local admin
hmmm

Hunter Moore
Hunter Moore

How to log in as local admin on MacOS:
1) Click on 'Show Password Hint'
2) Copy hint into password textfield

Henry Ramirez
Henry Ramirez

Ooops sorry. I meant to say this:
1) Hit Enter with empty password until it works

Kayden Miller
Kayden Miller

Apple's back-end technology is usually pretty solid but clearly something is wrong with this release.
I guess that's why they named it High Sierra.

Christian Butler
Christian Butler

macOS user here, confirmed true

Aaron Lopez
Aaron Lopez

not a big deal, but makes you think about their code quality

Chase Hughes
Chase Hughes

shitty research kernel with FreeBSD 4 and old GNU stuff bolted on top
solid

Ethan Jackson
Ethan Jackson

Did anyone really expect that peice of shit to be secure?

Parker Howard
Parker Howard

I haven't updated yet because I'm lazy as fuck but it seems i'm dodged a bullet.

Caleb Bailey
Caleb Bailey

The problem was that this bug actually creates a local admin user even if one doesn't already exist.

I thought this was reported months ago.

Juan Reed
Juan Reed

That was a different bug that could be replicated by a non privileged user

Evan Rodriguez
Evan Rodriguez

I-I cannot control it anymore...
iFAGS BTFO

Mason Walker
Mason Walker

Jesus Christ Apple, this is at least the third dumb security fail you've had with High Sierra.

Wrong, I use it.

Colton Young
Colton Young

It seems they've all but abandoned MacOS, putting all their resources into iOS. Very odd though, considering the amount of cash they have on hand, they could build a very competent team. I should have known it was going downhill when they fired most of the kernel developers though.

Charles Thompson
Charles Thompson

they fired most of the kernel developers
when?
any links on this?

Matthew Thompson
Matthew Thompson

they'll soon be ARM only

Luke Ward
Luke Ward

Strange, I cannot find a source for you, but I definitely recall them downsizing the team and moving some into iOS. Hubbard is the most high profile one that worked on the OSX kernel but he left in 2013.

Especially if that "What's a computer?" ad is anything to go by.

Oh and, obligatory Apple fanboy internet defense response is pic related.

Isaac Brown
Isaac Brown

I wanted to see what the macfags on reddit were saying about this. Here's one from /r/macos, this is battered-wife syndrome.

Tyler Richardson
Tyler Richardson

he left in 2013
Thats also about the same time OSX really started to go to shit. Mavericks was the start of the real shitshow and its been getting worse since. Now its like they are not even trying. They are slow to release updates and high priority things get botched.

10.4 was the high watermark and coincidentally it was the last release before they came out with iOS.

My bet is they just have a few pajeets limping it along until they switch to ARM.

Grayson Rogers
Grayson Rogers

Apple is moving Mac consumers from OS X to iOS. The Mac will die within a few years because Apple is killing it.

Isaiah Sanders
Isaiah Sanders

The Apple is rotten.

Benjamin Smith
Benjamin Smith

Seems so. I'm already dual booting a linux distro after the disastrous high sierra.

Jaxon Campbell
Jaxon Campbell

My employer sent out a notice that macfags should upgrade to High Sierra this week because of Meltdown.

This is ridiculous.

Jayden Bell
Jayden Bell

I'm pretty sure the Meltdown patches are backported to Sierra.

Anthony Long
Anthony Long

Seems so. I'm already dual booting a linux distro after the disastrous high sierra.
I am stopping at Sierra also. When things start to break from requiring High Sierra I'll move on to TrueOS or FreeBSD.

Dominic Gutierrez
Dominic Gutierrez

TrueOS or FreeBSD.
I was very tempted by both of those options, but figured linux would be smoother on a laptop.

Aiden Gonzalez
Aiden Gonzalez

FreeBSD
secure
cy3

Alexander Gonzalez
Alexander Gonzalez

FreeBSD 4
But Apple is one of the top contributors to FreeBSD 12.

Cooper Clark
Cooper Clark

do you know de wey?

Tyler Johnson
Tyler Johnson

Apple also funded Clang. That let freebsd get rid of gcc.

Bentley Anderson
Bentley Anderson

Log in as a local admin
This is like saying root can use passwd on any other user or see what is in their /home.

"admin" is superuser on OSX.

Zachary Cox
Zachary Cox

I'm buttfucking your shitty forced meme for luls and trolling violent leftist domestic terrorists.

Robert Jenkins
Robert Jenkins

proof?

Kayden Williams
Kayden Williams

I know de whey

David Price
David Price

I know de whey
HAHAHAHAJAHAHHAHAHAHAHAHAHAHAHAHAHAHAHHAHAHAHAHAHAHAHHAHAHAHAHAHAHHAHSHAHAHAHHAHAHAHAHAHAHAHAHHAHAHAHAHAHHAHAHAHAHAHAHAHHAHAHAHAHAHAHHAHAHAHAHAHHHAHAHAHAHAHAHHAHAHAHAH
LOLOLILILILILILILILILLLLLLLLOLOLOLOLOLOLOL

Dominic Price
Dominic Price

SOURCE? Source??? You got a source????
Do your own research. I also expect they'll patch El Capitan.

Tyler Reyes
Tyler Reyes

make claim
sperg out when asked for proof
wew

Matthew Reyes
Matthew Reyes

Because it takes a second to confirm yourself.
https://support.apple.com/en-ca/HT208394

Dylan Wood
Dylan Wood

My mistake, it looks like only Spectre has been addressed for El Cap/Sierra, I would expect Meltdown to be patched for Sierra given the severity, but it does not appear to be patched yet.

Jack Nelson
Jack Nelson

Found another bug which is arguably worse than this
https://apple.stackexchange.com/questions/312294
tl;dr when the screen is locked, a snapshot of the screen (at the moment when it was not locked — may have some important data obviously) can be trivially seen by anybody who has a fraction of a second of physical access.

Nathaniel Diaz
Nathaniel Diaz

I'm happy to read these news because they mean Apple will be rotten in five years or less

Angel Sanders
Angel Sanders

But what should I do to make it also appear in the news articles or something?
AFAIK it's a new thing, and while it's not as devastating as the empty root password or password being put into the hint, it's still quite bad

Colton Ward
Colton Ward

Do your own research
closed source system

but whatever, I already made the mistake of upgrading to High Sierra anyway

David Morris
David Morris

Spread it on the Apple subredit.
Sorry for sperging out, I unfortunately had to visit reddit for some information and your post reminded me of how those tards speak.

David Torres
David Torres

Spread it on the Apple subredit.
https://www.reddit.com/r/apple/comments/7qf4or/yet_another_security_bug_macos_high_sierra/
am I doing it right? I don't use reddit often

Alexander Mitchell
Alexander Mitchell

Apple is intentionally ruining the reputation of OSX and Macbook so they can discontinue the whole line and get everybody using iOS.

Anthony Ward
Anthony Ward

iOS cannot do what macOS can. the direct migration path is Ubuntu or fucking Windows.

Grayson Bell
Grayson Bell

For you. For the average normie, the phone is actually more powerful because you can easily take it anwhere for the purpose of taking a selfie.

Jonathan Smith
Jonathan Smith

iOS cannot do what macOS can.
Most normies can get along fine with just an iPad. What do they see as the biggest limitation for general use? Smaller screen and no real keyboard/mouse.

Holla Forums can't see it because we all need full blown computers but when you look at the industry the "Desktop" computer in the home is dead. Laptop sales are flat or falling.

Look at what the typical Mac users do. Word possessing, email, video streaming, social media. All shit that could be done on iOS with a tweaked UI on top of it.

Jason Gray
Jason Gray

Word possessing
spooky tbh

Adam Stewart
Adam Stewart

normies
reddit spacing

Alexander Powell
Alexander Powell

maybe, normies can.
but if apple wanted to ditch macos, they could simply kill it and be done, why not?.
also, I've heard that ios 11 is also a piece of shit, I cannot confirm because I never used or will use it, but that's what the web is mumbling.

Nathaniel Wilson
Nathaniel Wilson

made the mistake of upgrading to High Sierra anyway
Have you noticed that PDFs render atrociously on HS? On my machine (and it seems many others) the fonts are very blurry. The reason for it is apparently because they ported the iOS pdf renderer to the MacOS and the result is pure crap. If they're not able to fix it by 10.3.3 I'll probably wipe the OS off.

Robert Martin
Robert Martin

Looks OK but I am using RETINA™ DISPLAY™ so maybe it's not representative.
Are you testing with PDF file which has real text (as text) or a scanned image?
Anyway, the Preview is shit for image viewing and it always was. It fucking can't open several images to show them in order, it randomly breaks the order and/or opens in more than 1 window, arbitrarily choosing which image goes to which window. This is beyond unreasonable.
You also ave the choice of using a browser, nowadays most of them have embedded pdf.js which usually can handle PDFs without problems.

Sebastian Bennett
Sebastian Bennett

Yeah Retina display, and real fonts. The other popular PDF viewers all seem to use Apple's PDFKit, so display the same problems. I refuse to install Adobe software so Acrobat crapware is out of the question. Browser rendering is actually what I resorted to, but it's a pathetic work around.

Alexander Thompson
Alexander Thompson

Also, it's not just PDF issues. Apart from the lackadaisical approach to security, even things like Spotlight occasionally crash, and I've encountered a few issues where the machine does not wake from sleep. All of these issues seem to be fairly common in high sierra.

Jayden Murphy
Jayden Murphy

You either have the full power of a computer available to you or you have a glorified tv. Users can't get better if the whole system is locked down.

Alexander Williams
Alexander Williams

Wasnt there also a thing where you could unlock accounts by typing 'password' into the password field?

What the fuck apple, get your shit together.

Cooper Brooks
Cooper Brooks

Not even password, just typing anything worked. There was also the incident where it saved your full password as the password hint. It's like Apple put all the lowest IQ diversity hires into MacOS development. It's a shame, because I happen to like the OS (when it works), but they seem intent on ruining it.

Connor Cruz
Connor Cruz

Wasn't there also a thing where you could unlock accounts by typing 'nigger' into the password field?

Luke Gomez
Luke Gomez

Apple wants a closed system like iOS. If mac users run stuff that they got outside of the App Store then Apple sees that as a fault.
It is clear Apple doesn't give a shit about OSX and did a damn good job getting rid of the powermac users and old UNIX guys. They don't want power users they want consumers.
Replacing native OSX applications with ones ported from iOS is just the beginning.

Grayson Price
Grayson Price

I still struggle to believe how a company with the resources of Apple can put out something as retarded as the cylinder Mac Pro, emoji bar Macbook Pro or let models line languish for half a decade without updates. They might not have always been price or performance competitive depending on the chips at the time but at least it felt like they fucking tried back then.

John Perez
John Perez

Steve Jobs was the only thing holding them together. After he died it all went south as the company started being led by Pajeets.

Grayson Garcia
Grayson Garcia

Ya Jobs would never let Mac get to what it is today. Compared to the iPhone/iPad it's weak on profits but that never stopped him from sinking money and engineering in.

Lucas Green
Lucas Green

out of curiosity I checked their site, the trashcan hasn't been updated since release.
no worries though, the imac pro with it's starting price of only $4,999* will surely sell.

* configures up to $13,427. mfw

Zachary Thompson
Zachary Thompson

To be fair, the Powermac Cube was Jobs' baby and that was a retarded idea too. At least he wasn't stupid enough to replace the regular model with it though.

Ethan Murphy
Ethan Murphy

The cube didn't really catch on but the Mini did. Apple has sold tons of them but they are letting it die now. No update since 2014.

Brody Smith
Brody Smith

The Mini is the last good computer they have left. WTF

Jace Taylor
Jace Taylor

Holy shit, the top response you got (upvoted 174 times)

Honestly I can’t remember a macOS release that didn’t do that. So, it’s not a High Sierra regression.

There's nothing wrong with this because it has been broken for a long time!!!! This is why even people who like Macs hate the Apple fanboy.

Liam Roberts
Liam Roberts

The mini is just low end specs in a small package and was their cheapest model. So of course it sold. Comparing it with the Cube is silly.

Isaac Long
Isaac Long

The Mini was what Apple customers actually want. The Cube is what Jobs thought they wanted. The MacBook Air is what Apple thinks their customers deserve.

Julian Sanders
Julian Sanders

, I've heard that ios 11 is also a piece of shit,
Apparently so. They had some sort of bug last month where any notification would cause the system to crash if the date was December 2nd.
https://www.imore.com/iphone-crashing-dec-2-heres-fix

There goes my theory that MacOS sucks because of concentrated iOS development. Just what the fuck are they doing in that spaceship? I don't want to know.

Matthew Harris
Matthew Harris

Letting the hard to engineer macs rot for years and doing the absolute bare minimum with OS X is really starting to advance that switch to ARM rumor.

Jonathan Thompson
Jonathan Thompson

Everyone makes themselves admins when they turn their computers on for the first time.

Colton Thompson
Colton Thompson

functional illiteracy
cool

Disable AdBlock to view this page

Disable AdBlock to view this page