The vulnerability on macOS 10.13 allows access to the Mac with any password

First discovered by the Open Radar, this security hole allows unlocking the settings in the App Store via the System Preference if the Mac is locked and has a lock icon in the left corner.

Normally, the user will not lock it but there is a message saying 'Click the lock image to avoid further changes'. Blocking will prevent automatic updates, install new macOS, security updates or system files.

The vulnerability on macOS 10.13 allows access to the Mac with any password Picture 1
Lock icon in the left-hand corner to open

Access without user name or password

Try it on macOS High Sierra 10.13.2, here are the steps:

1. Click System Preferences
2. Click the App Store
3. Click on the lock icon if available
4. Click on the lock icon again
5. Enter your username and any password
6. Click Unlock

This error is worse than the previous Mac lock error because no user name is required, because the authentication dialog only asks for a password and the username is usually filled out. If you go somewhere, forget to unlock it for a while.

The vulnerability on macOS 10.13 allows access to the Mac with any password Picture 2
But when it is locked, everyone can access it

With this vulnerability, anyone can get administrative rights on the Mac, change the settings related to macOS updates, security patches.

Experiment with this error on two completely successful Macs, allowing access to App Store settings in Preferences with any password, including a letter or a number. Even the part of the username you want to enter is okay.

According to the MacRumors, the error no longer works on the macOS High Sierra 10.3.3 Beta, meaning Apple has overcome it. But many people still use macOS 10.13.2, 10.13.1 or even 10.13. And version 10.13.3 is still in Beta and this month will be officially released.

See more:

1. Looking back at Apple 2017
2. Apple released macOS unlocking patch, with apology
3. Apple is preparing to combine iOS and Mac applications as one