A new vulnerability has been found in macOS version 10.13.2 that enables anyone with access to your Mac to unlock App Store system preferences using any username and password as long as you are logged in as a local admin.
This means that if your account is an admin and you leave the machine unattended, anyone with malicious intent can change the App Store settings on the Mac without your knowledge.
“Steps to Reproduce:
1) Log in as a local admin
2) Open App Store Prefpane from the System Preferences
3) Lock the padlock if it is already unlocked
4) Click the lock to unlock it
5) Enter any bogus password”
According to Mac Rumors, Apple has fixed this issue in the latest beta of macOS 10.13.3, which currently remains in testing and will likely be published at some point this month. This issue doesn’t exist in macOS Sierra version 10.12.6 or earlier.
Users are not recommended to use a local admin account and make sure to lock the mac when it is not being used.
is a professional pen-tester with over 9 years of IT experience bringing a strong background in programming languages and application security, ranging from network and system administration to exploit research and development. He reported various vulnerabilities for high profile companies and vendors and was successfully acknowledged by them.