
AppStore Preferences can be unlocked by a local admin with any bogus password - tomduncalf
https://openradar.appspot.com/36350507
======
newscracker
This does not help at all for the drubbing that macOS High Sierra has been
getting recently. Long term OS X users have been waiting for a Snow Leopard
like release, but it seems like Apple isn’t taking as much care as required on
security and stability on the Mac. Something has to give — either Apple’s
organizational structure needs a change or Apple needs to abandon certain
things completely instead of releasing sub-standard products that aren’t
expected from it.

As a long time Mac user, I keep hoping that Apple will decide to double down
on better and deeper focus on all its products, including the Mac, its OS and
ecosystem, and make the changes necessary across its organization and its
teams.

~~~
hanklazard
I'm also a long-time Mac user, but I've really had about enough of this.
Between the seemingly constant stream of security problems and the dumbing
down of OSX (MacOS, whatever), I'm not sure I'm willing to pay a premium for
this product anymore.

At the same time the Apple seems to be dropping the ball, some of the more
noob-friendly linux distros are starting to look very attractive. And while
Apple still seems to have the best hardware overall, a Lenovo Carbon X1 seems
like a very decent option. I'm by no means a "pro" user (I have a decent
understanding of computers, can get around on linux command line, some basic
experiences in programming, etc), but I'm probably going to start making the
switch, at least for my laptop.

Slightly off topic, but one of the only software issues holding me back
previously was 1Password compatibility on linux, but apparently, it is now
available (1). Anyone tried it? It's not a stand-alone application, but I'm
probably okay with that.

(1)
[https://discussions.agilebits.com/discussion/79940/a-present...](https://discussions.agilebits.com/discussion/79940/a-present-
for-chrome-os-and-linux-users)

~~~
reaperducer
If some of the Linux distros would start trying to look like MacOS instead of
constantly aping Windows, then switching would be a lot easier.

That's been the big reason I've never really taken to Linux. The GUIs all look
like Windows with a skin. Where's the innovation?

~~~
willtim
This is not true in general. Linux Desktop UIs like Gnome 3 have taken a lot
of criticism precisely because they have _not_ been copying Windows and have
deviated considerably (due to patent concerns). Of course, there are some
fringe "garage effort" Linux distros that don't care about patents and do just
give some part of the community what they want.

As for innovation, Linux desktop UIs had virtual desktops and window tiling
features long before Windows and MacOS.

~~~
pjmlp
> As for innovation, Linux desktop UIs had virtual desktops and window tiling
> features long before Windows and MacOS.

Well, all commercial UNIXes had them before Linux was even a thing.

~~~
willtim
Yes I remember the CDE desktop had virtual desktops, but they go back even to
Xerox Parc (according to Wikipedia). There are many minor aspects that have
been tweaked and are perhaps newer ideas though. For example, on my desktop, I
can search for a window title and get a list of windows across virtual
desktops that are matches, and jump to the relevant desktop and window.

------
dalemyers
The interesting implication from this is that while it works for the App Store
preferences, it doesn't work for the others, showing that there is a manual
check that each pane is doing. Why aren't all of these calls identical? If
each has to be handled manually, it's no wonder that there are bugs like this
appearing.

~~~
christoph
My guess is that the App Store preferences isn't even meant to have the
padlock. iCloud prefs doesn't have it, so I can only assume it's there by
mistake.

If you try the same thing with say "Time & date prefs", it pauses with an
incorrect password for a few seconds, then visually shakes indicating it's a
wrong password. With the App Store prefs, it just instantly closes the
authentication dialog, even with a blank password.

I don't really understand the logic as to why some panels in preferences have
padlocks and others don't... Why does date/time need admin rights whereas
Network (delete/add/reconfigure networking), Internet Accounts (delete/add any
accounts?), iCloud (do all manner of things), Time Machine (back a machine up
elsewhere?) don't require it?

~~~
briffle
Most OS's require admin rights to change the date/time because of the ability
to mess with things like kerberos ticket TTL's, and other security issues.

~~~
christoph
I can understand why it would be there for date & time. I guess I more don't
understand why it's not there for networking - you can add a proxy in (or even
a whole new network adapter) for all network traffic without admin rights!?

~~~
derefr
I don't think "sharing-only" accounts can; only regular accounts. Keep in mind
that a non-"sharing only" account is an account with a special privilege: it
can log in through the local-framebuffer LoginWindow. This translates to an
assumption that the computer is–at least temporarily— _in the physical
possession_ of said user. They're at least sitting down in front of it; they
may have been leased it by their employer.

The global prefs that can be reconfigured by "regular users" (i.e.
non-"sharing only" users) are precisely those prefs required to keep the
system in a working state if you're physically in possession of it and doing
the things that possession of a computer implies. For example, you can move a
computer you physically possess to a new location–at which point the same
wireless networks won't be available, and maybe you won't be able to get
online without a proxy. So, in order to ensure that just going places doesn't
necessitate a call to corporate IT, the default† is to let any non-"sharing
only" user configure networking.

† "Default" because these prefs _can_ be locked down using a configuration
profile (like a windows Group Policy Object) by corporate IT if they need a
computer specifically secured against these changes, such as a public-use
kiosk.

------
atonse
I have a feeling this isn't actually that High Sierra is that much worse, but
more that people are now actively pen-testing macOS to find the next
embarrassing bug.

And that scares me even more because of the unknown of how long such bugs
must've existed in the system.

Is this Apple's Windows XP moment? (Like when MS stopped everything and did
massive security training that resulted in XP SP 2 being worlds more secure?)

~~~
gregoriol
Most of the recently discussed High Sierra bugs were not there on Sierra,
while the features were there, like this one.

So it's not that much pen tensting, but Apple making changes and not
validating them correctly. Maybe they have their Vista moment with High
Sierra, maybe we forgot previous buggy versions.

~~~
xattt
Could this be the result of shifting quality assurance to the general public
through public betas?

~~~
gurkendoktor
For security-related bugs, maybe. When I file bugs with Apple (which I've
mostly given up on), they are usually marked as a duplicate of another still-
open bug. So it seems that people actually file bugs -- free QA works! -- but
there's not enough time to fix them.

------
jtchang
If you read the notes:

This only appears to be when logged in as a local admin. Tested with a non-
admin account and I cannot unlock the prefpane with incorrect credentials.

So basically they are checking to see if you have credentials already. I guess
this is a caching issue since you locked it.

~~~
oneeyedpigeon
That makes an awful lot of sense, in which case the bug is just not checking
that the login is 'cached' before displaying the dialog. In a similar vein to
another comment, though, why doesn't that dialog detect the state of the
'login cache' consistently across all occurrences?

------
qaq
Cmon Apple I know security people are in short supply but:

A) You have the resources B) This is the type of bug that any semi decent QA
process should catch anyway

~~~
donatj
It seems like the type of bug that there should be a unit test for.

------
dcx
I'm on 10.12.6 and a local admin account, and it only unlocks to my actual
password. That might mean it's a recently-introduced bug (assuming someone
else can reproduce my result).

~~~
heartbreak
It doesn't reproduce for me on 10.12.6 either. It only works on High Sierra
(10.13).

~~~
pvg
I can't reproduce it on 10.13.3 Beta (17D29a). So it might have been fixed
already.

------
dajohnson89
sorry if this is a dumb question, but: why is it unreasonable for a local
admin to have the power to change AppStore preferences? without knowing much
about the osx security model, this sounds like not a big deal?

~~~
aetherson
For certain features, they want you to reconfirm that the user presently at
the keyboard is the real admin at the moment that you do it.

This prevents a situation where the actual admin logs in, their attention is
taken away from the computer, and someone sits at their chair and does awful
things with the computer.

~~~
dkonofalski
What "awful" things could be done exactly in the App Store panel?

~~~
Someone1234
If they have "'Always Require' Password for Purchase" enabled, you could
disable that and buy apps from the app store without a password.

For example you could let your kid use your Mac, but you don't want them
spending your money via your app-store linked credit card. If they have access
to the App Store Preferences panel they can disable the requirement and do so.

~~~
dkonofalski
They would be prompted for the App Store password the first time a purchase
was made after this is disabled so, no, that's not an issue here.

------
kylehotchkiss
If an Apple developer is reading this, your team should consider system-wide
input testing. It'd be worth the developer time. Who knows how things can
break if long, crazy strings are inserted.

------
dmitriid
What do you get when you tell everyone that “MacOS and desktop computing are
as important to our company as ever” when in reality you barely give a crap
about it.

~~~
jtbayly
a cookie.

And a raise.

------
jmull
This is a fairly minor bug, since, apparently, it’s only happens when already
logged in as admin (and it’s “just” App Store prefs). (I get that you can come
up with scenarios to exploit this, but come in.)

But, wow, how many bugs is this for High Sierra where a password prompt can be
bypassed?

It’s like password prompt flu is going around Apple.

Was there bad sample code distributed or some change in the default behavior
of some key API? (In addition to the obviously inadequate testing.) I guess it
would make more sense to me if there was something connecting all these
issues. (Besides the inadequate testing.)

------
jaimehrubiks
Can confirm it doesn't work on "Sierra", so it must be high sierra's feature.

------
mrmattyboy
Can confirm - with my colleagues laptop - much to his amusement :)

------
jaclaz
Though it is "queer", it doesn't seem to be that much a security issue, or -
more probably - I am failing to understand the risk implied.

Can anyone describe a possible scenario where this would pose a security risk?

~~~
foz
A user with access to a mac could enable the option to automatically install
macOS updates, which given recent trends, could impose a security risk.

~~~
briandear
> could impose a security risk

How?

Installing a Mac OS update could be considered a security risk? That makes
little sense since the security risks you're alluding to were solved by
updates. 10.13.2 partially fixed the Intel problem in December and 10.13.3
will have more fixes. If you were still running 10.13.1, you'd have both the
root login bug and the Intel security issues.

If you were still running Sierra, keeping Sierra updated results in solving
the following security issues: [https://support.apple.com/en-
us/HT207483](https://support.apple.com/en-us/HT207483)

The Mac OS version out right now is more secure than the previous minor or
major version. There really isn't any credible evidence to the contrary.

It's irresponsible to not update your system. I understand not moving up to a
new version of an OS because of compatibility issues (i.e. audio interfaces
often are sluggish to update, libraries you need might not work, etc.,) but
not updating because of security fears -- that's just ridiculous. 10.13.3 is
more secure than 10.12.2.

Also, in order to "exploit" the reported bug, you would have to already be
signed into the computer AS AN ADMIN. Which means that you could already
change the updating behavior. So unless you are sharing your admin
login/account with non admin users, the risk you cite is pretty trivial.

If you are in a higher risk computing environment, it would be logical that
you would sign out of your account after you've finished using the system --
you would essentially have to provide an unauthorized person access to your
Mac while you were signed in before this would be an actual threat. That
doesn't make the bug less "real," but it does make the real-world security
ramifications much less dire than being implied.

~~~
jaclaz
>If you are in a higher risk computing environment, it would be logical that
you would sign out of your account after you've finished using the system --
you would essentially have to provide an unauthorized person access to your
Mac while you were signed in before this would be an actual threat.

So, the most that can realistically happen is that if you leave your Mac
unattended while logged in as Admin, a co-worker or friend might get in and
install some app to play a prank on you.

I mean, unless _somehow_ a malicious app has been approved on the Apple store
and is available to download through the changed setting (and the "evil" co-
worker/friend knows about it), but still the base security risk remains
leaving the device unattended and making it phisically accessible by smeone
else while still logged in as Admin.

------
Corrado
I don't know if I'm doing it wrong or maybe the problem has been fixed in the
latest beta, but I can't replicate the problem on 10.13.3 Beta (17D34a). I
lock the App Store preference pane and can't unlock it with anything except my
real password. And yes, I am logged in as an Admin user.

------
bitL
Maybe it's Apple's strategy - let macOS slowly disintegrate and then give iOS
to frustrated desktop users as the only right way? Last time I've seen that
strategy was when Nokia had a mole as CEO installed, though the outcome wasn't
very nice to either Nokia nor MS...

------
slenk
My AppStore preferences do not even have a lock icon on 10.11.6. Must be in
newer versions only?

------
alwillis
FYI—I’m running the latest public beta of 10.13.3 (17D34a) and couldn’t
duplicate this issue.

------
anderworx
It's a bug. Bugs happen. It will be fixed. Take a deep breath, or a sedative,
and relax.

------
dreamfactored
So is it that they don't have an automated test suite or the coverage is poor?

------
oh-kumudo
macOS High Sierra is such a disaster. Did Apple has any quality control over
software at this point? No security vending? How could they have customers'
trust if they keep making such idiotic mistake?

------
briandear
Kind of a silly title "AppStore Preferences lock is a lie" \-- it isn't a
"lie" unless Apple intended for it to not lock correctly. But obviously, it's
a bug. It isn't like Apple is trying to deceive users.

Interesting bug, unnecessarily hyperbolic title for it.

~~~
pvg
It's supposed to be amusing. Think 'the cake is a lie'.

------
coverband
So basically it's a UI bug, not a serious security vulnerability.

