Yet another password security flaw has been found affecting macOS High Sierra for the second time in three months. A bug report on Open Radar submitted earlier this week detailed a security flaw found in the current version on macOS High Sierra - version 10.13.2 - that allows any user to unlock the App Store menu in System Preferences using any random password in less than five steps, MacRumors first reported.
According to the bug report, users can simply open System Preferences, go to App Store settings and check the padlock icon. If it is unlocked, lock it and then try unlocking it using your username and any password.
The login prompt simply accepts the incorrect password and unlocks, as long as you are still logged in as a local admin.
Using this preference pane, users can choose to enable or disable automatic downloads and installation of OS security updates among other things.
Although this vulnerability is not as serious as earlier password bugs plaguing High Sierra, it could potentially allow a malicious actor to disable automatic security updates on the device and exploit any bugs and vulnerabilities that would otherwise be regularly patched.
The bug report also highlights yet another embarrassing password-related bug for Apple.
In November last year, a serious "root" flaw was discovered in macOS High Sierra that allowed anyone to log into the admin account simply by using the username "root" with a blank password after repeatedly clicking on the login button multiple times. Apple later fixed the issue with a security update.
Apple has reportedly fixed the new bug in the beta version of macOS 10.13.3, its upcoming High Sierra update expected to release to the general public sometime this month, according to MacRumors.
"We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again," the company said in a statement to UberGizmo.
IBTimes UK has reached out to Apple for further comment.