A new Mac security flaw lets you type literally any username and password in order to unlock the Mac App Store panel in System Preferences. It’s probably not a big deal practically speaking—the panel is unlocked by default—but the fact that this issue exists at all is a worrying reminder that Apple isn’t prioritizing security like they used to.
I get it: tech journalists tend to lose their mind when it comes to Apple. The slightest flaw is hyped up beyond belief, given a name ending in “gate,” and then forgotten about within a month. It’s a regular cycle at this point, and it makes it hard for readers to recognize actual problems.
A Bit of History
So let’s review quickly. Back in November, 2017, a macOS bug let anyone create a root account without a password in System Preferences simply by typing “root” as the username and making up literally any password. Instead of denying you access, like a well designed system would, macOS High Sierra would just create a root account using whatever password you entered.
In addition to being mind numbingly insecure, this is bizarre behavior. Why in the world would making up a root password create a root account out of whole cloth? What is happening in the backend that makes that possible?
It’s hard to imagine, which is why this wasn’t a case of tech journalists exaggerating. It was really, really bad.
And the cleanup after that bug didn’t inspire much more confidence. Sure, Apple issued a patch that fixed the issue, but many users ended up reintroducing the problem if they installed the week-old 10.13.1 update after installing. Only with the release of 10.13.2 was the problem fully fixed, and that wasn’t until December, 2017.
But at least that was the end of it. Right?
The Latest Problem
Not quite. It turns out there are more inexplicable security problems in System Preferences. You can re-create this one easily in 10.13.2 if you want to play along at home, so open a window and join me! Open System Preferences in an Administrator account, and then head to App Store. You’ll notice the lock at bottom-left is open by default, meaning you’re free to change settings.
I’m not sure why the lock is there at all if it’s unlocked by default, but whatever. Click the lock to “secure” this panel, and then click it again to unlock it. Here’s the trick: you can type literally any password you want and the panel will unlock.
The same goes for the username: you can put anything you want in that field and the panel will unlock. I typed “Harry” as the username and “is dumb” as the password and it worked; so did “Justin” and “is awesome.”
Practically, this isn’t much of a problem: again, the panel in question isn’t locked down by default, and unlocking this panel does not give you access to any other locked panel.
The problem is we don’t know why this is happening, and whether the bug that allows it may exist elsewhere. As with the earlier bug, it’s amazing no one caught this problem in testing, and it really makes you wonder how much you can trust macOS to keep your data locked down.
We’re sure an update will patch this up, especially now that the media is making a fuss. But contrary to what you might think, I don’t like making a fuss. I’d rather things be locked down. Apple needs to step up their game on the security front, because stuff like this makes it seem like they’re not even paying attention.