Another macOS password prompt can be bypassed with any password

MacRumors spotted a bug report that affects the current version of macOS High Sierra. In System Preferences, you can unlock the App Store preference pane by typing any password. Apple has reportedly already fixed the bug in beta versions of the next macOS High Sierra update.

While this bug is nowhere as serious as the infamous root login bug, as John Gruber wrote, this one is quite embarrassing. What’s wrong with password prompts and macOS?

If you want to test this bug at home, I was able to reproduce it quite easily. Open System Preferences, go to the App Store settings and look at the padlock icon. If it’s unlocked, lock it first and then try unlocking it with any password. Ta-da!

You can enable or disable automatic downloads and installation of app and operating system updates using this preference pane. This doesn’t represent an immediate security risk. But if someone already has access to your computer, they could disable automatic security updates and take advantage of vulnerabilities that are regularly patched.

By default, App Store settings are unlocked for admin users. But if you’re a bit paranoid about security, chances are you locked down all your system settings to make sure nobody is playing with them.

More importantly than the bug itself, Apple should reconsider their quality assurance processes. It’s time to stop shipping updates with embarrassing bugs.