A new password bug has been discovered in macOS High Sierra that allows any unauthorized user to access App Store settings found under System Preferences. The bug unlocks the App Store settings when any random string of characters is entered, without verifying if it is actually the admin password or not.
Thankfully the bug is only found on the App Store settings page and does not affect other more sensitive sections of System Preferences. You can see the bug in action by using a Administrator account an your Mac.
Simply open System Preferences, go to App Store and lock the settings page by clicking on the padlock icon (if it isn’t locked already). Then click on the padlock to unlock and enter anything you like. Finally click on Unlock button. The settings page will now get unlocked and allow you to make changes.
With this unauthorized access anyone who has access to the Mac can make changes to App Store preferences, install app updates, macOS updates, system data files and even security updates without having access to Mac Admin account.
While this does not poses any serious threat to user privacy or security, it is still alarming to see such a bug is found on macOS in the first place, and is an embarrassment for Apple. Apple has fixed the bug in beta 3 and beta 4 of macOS High Sierra 10.13.3, which means the company is aware of the issue and will fix it in the next macOS High Sierra release.
Apple has proven to be sloppy when it comes to password security on the Mac. Quite recently a similar bug was found in macOS 10.13.1 that allowed anyone to access root superuser account with a blank password field. (via)