Apple’s Mac operating has another login bug that lets people log into App Store preferences by typing any random password. While this particular security flaw is not a huge concern, it still raises questions around the security of Apple’s desktop operating system.
This is the second login bug after a security flaw was discovered in November allowing anyone to log into a Mac by typing ‘root’ as the user name, and no password whatsoever. The flaw undermines the basic principles of security that prevents contents stored on a device from being accessed by a coworker, friends or any eavesdropper.
On Monday, a report on community bug reporting platform revealed that a local admin can log into App Store preferences with any bogus password. While local users don’t need any password to change App Store preferences, this flaw is easy to exploit when the user is logged into a Mac with administrative privilege. An attacker can take advantage of this flaw by looking for a Mac where the user has not logged out from the device. The issue seems to be prevalent only on Mac running the latest High Sierra 10.13.2 version. CNET confirms that the exploit does not work on systems running newer 10.13.3 version, which is yet to be made publicly available.
The attacker won’t be able to do anything drastic, but can disable automatic software updates or disable the App Store from asking for password every time a new app is purchased from the storefront. Apple has not commented on this newest security bug, but it did issue a fix to older login issue on the new version of High Sierra.
The details of the bug comes amidst the ongoing security issue around Meltdown and Spectre vulnerabilities disclosed last week. Meltdown and Spectre are CPU bugs that affect devices using chips from Intel, AMD and ARM Holdings, and can be exploited to steal critical information including password and private encryption keys.
Apple confirmed that all Mac and iOS devices are affected by Meltdown and Spectre, and issued a patch to fix the issue. The company has not detailed whether its devices are affected by Spectre Variant 2 as well and should fix this issue as well with an upcoming security update.