Mac OS bug allows system preferences to be unlocked with any/no password

As reported first on Open Radar (https://openradar.appspot.com/36350507) that has revealed the biggest security flaw in MacOS High Serra current version (MacOS 10.13.2).

The bug allows the App store menu in System preferences to be unlocked with any kind of password or even no password, as long as you are logged in as a local admin.

Step to Reproduce:

Click on your System Preferences

Click on App Store

Lock the setting if it is not locked yet

Click on Padlock icon again to unlock it

Enter your Username and any/no password (123 or abcd)

Click Unlock

Bingo !!!

It is easy to exploit when the user is logged in to a Mac OS with administrator privilege. Cyber criminals can take advantage of this flaw.

In September, a security researcher found the exploit to snag plaintext password from Keychain. It is the second time a login bug has been found after the security flaw was discovered in November, which was allowing to login to a Mac by typing ‘root’ as user name with no password.

We are expecting that it should be fixed with the upcoming MacOS 10.13.3 version.