Apple to Patch Yet Another macOS Password Security Flaw

NEWS ANALYSIS: Once again, a security researcher has found a way to easily bypass macOS password security, though this time the impact is minimal.


A security researcher is warning of a new password bypass vulnerability in Apple's macOS High Sierra desktop operating system, though the flaw is not nearly as severe as other issues that Apple has patched recently.

Security researcher Eric Holtman publicly reported the password bypass issue on Jan. 8 by. Apple reportedly already has a fix in place for it as part of the macOS 10.13.3 update, which is in beta testing.

"The AppStore Preferences in System Preferences can be unlocked by a local admin with any bogus password," Holtman warned in an advisory.

The AppStore preferences menu in macOS High Sierra provides a number of options for users, including requiring a password to be used for app and in-app purchases. The use of the password lock is intended to provide a mechanism that prevents any user with local access from changing the preferences without entering the proper password.

While enabling users to bypass what should be a set of password-secured options isn't a good idea in any circumstances, the actual risks are somewhat muted. Holtman wrote in the advisory that the flaw only works for users logged in as a local administrator on a macOS High Sierra system. In a series of Twitter messages on Jan. 10 directed at multiple media outlets, Holtman emphasized that the issue is not critical. He noted that any logged-in admin user could easily unlock the AppStore preferences settings if they chose to do so.

"This needs admin access to the machine already and only affects the AppStore prefs," Holtman wrote. "All other system prefs do not unlock this way. Likely an oversight in the security changes in 10.13.x."

The issue, however, is that multiple other password security oversights have been uncovered in macOS High Sierra 10.13.x in the months since the operating system was released in September 2017.

Barely a week after macOS High Sierra debuted, Apple issued a supplemental security update for two critical password-related vulnerabilities in the OS. In November 2017, Apple once again released an update for macOS High Sierra, after a researcher reported via Twitter that anyone could log in as "root" with an empty password on macOS High Sierra. 

To be fair, the AppStore issue that was reported on Jan. 8 does not represent as much risk as the November 2017 issue, identified as CVE-2017-13872. With CVE-2017-13872, Apple warned that an attacker could bypass administrator authentication without supplying the administrator's password. With the AppStore preferences issue, an attacker would already need to have root access to a system.

What is worrisome though is that these issues exist in the first place and keep popping up. It's hard enough to keep passwords safe in the modern threat environment, but when system preferences that should be secured by passwords are not actually secured, then there is reason for concern.

It could just be a set of unfortunate coincidences that have led to all the different password-related issues with macOS High Sierra. Then again, as Holtman wrote, it could just be an "oversight." Considering the critical role that passwords continue to play in modern IT security, though, having an oversight in password technologies isn't particularly reassuring.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.