But it's not as bad as the last one. That proviso won't stop the bug from raising concerns about the overall quality of Apple's software. But it means the flaw doesn't hand anyone the keys to the kingdom.
Let's compare. In November, users found anyone could log into a Mac with just the user name "root" and no password whatsoever. That's a serious flaw that undercut the most basic line of security protecting the content of your computer from thieves, or even prying friends, family or co-workers. On Monday, a report surfaced that someone could log into your App Store preferences with any entry into the password field. Apple didn't immediately respond to a request for comment.
CNET confirmed the bug by slapping random keys into the App Store preferences password field on a Mac running the most recent High Sierra operating system (10.13.2). Boom, we were logged in. CNET could take full control of, well, the computer's App Store preferences. Not exactly the kind of all encompassing power one might expect from bypassing a password.
To make this very clear: to take advantage of this flaw, an attacker would have to wait for an unsuspecting Mac user to walk away from their computer without logging out.
Then this malicious person would need to rush up to the computer, open up the App Store preferences, and enter any old combination of keystrokes to log in and make changes. Finally, the saboteur could do something as dastardly as getting your computer to stop automatically checking for software updates.
CNET checked on a Mac running the next version of High Sierra (10.13.3), which hasn't been released to the general public yet, and found that the issue is no longer present. It isn't a huge security concern, but this is the second login bug found in Apple's High Sierra operating system
No comments:
Post a Comment