MacOS Lets You Change Other People's App Store Settings
After a dangerous macOS flaw left some proverbial egg on Apple's face at the end of 2017, it probably didn't want to start 2018 with another issue on its hands.
Unfortunately, that's just the case as another (admittedly much less dangerous) security flaw has been found that lets a passerby edit your App Store system preferences.
Discovered by an Open Radar bug report forum user, the flaw makes it easy for anyone to unlock the App Store section of your system preferences. Found in version 10.13.2 of macOS High Sierra, this flaw allows someone to change your password requirement settings for purchases, automatic update download options.
The one catch, though, is that the system needs to be logged into by an admin user for this trick to work. Still, because most Apple users log in as admin users all the time (and here's why that is a very bad idea), this could be exploited by someone passing by an unattended Mac in a workplace, cafe or school library.
To see if your system is vulnerable, click the Apple icon in the top left corner, select System Preferences, click App Store, click the locked padlock (if it's unlocked, click to lock it first) and click the padlock again to unlock it. Then, enter the admin name (it should be there already) and any password (or no password at all), and click Unlock.
According to Open Radar commenter VoelinMail, this flaw is not found in version 10.13.1, so it may be exclusive to this current version of macOS. MacWorld reports that the flaw may be fixed by version 10.13.3, as users running that beta of macOS can't reproduce this flaw. We have reached out to Apple and will update this story if and when we receive a response.
Fortunately for users, this is nowhere near as bad as the Root flaw found in November, which allowed anyone to seize total, permanent control of your laptop as long as they had brief physical access to a logged-in Mac.