Another bug in macOS High Sierra: App Store settings not backed up
Again there is a security hole in the current version of macOS High Sierra. It allows you to unlock the App Store Menu in System Preferences with any password
On Open Radar has released a Bug report that has it all in. Even on the latest MacOS High Sierra 10.13.2 you can change the settings of the App Store with any password you like, but it works just fine an admin account.
Click System Preferences.
Click App Store
Click the lock button. Symbol to lock it if necessary.
Click the lock icon again.
Enter your username and any password.
As mentioned on Radar, the gap can not be bypassed by a non-admin. According to a report by Macrumors, the gap with the third and fourth beta of macOS High Sierra 10.13.3 can not be reproduced, suggesting that Apple is currently fixing the vulnerability. Important: The update is still in the testing phase.
The gap can not be reproduced on MacOS Sierra as well, suggesting that the problem only affects MacOS High Sierra.
How serious is the gap?
Anyone with administrative access can use it Unlock the settings in the App Store and enable or disable settings to automatically install MacOS updates, app updates, system data files, and security updates. Now it's clear why normal users should never use their Mac with admin rights.
This is the second password-based bug that hit MacOS High Sierra. Last year, a giant security vulnerability was discovered that allowed access to the root superuser account with a blank password on MacOS High Sierra version 10.13.1. Apple postponed a security update, but the reputational damage was huge.
Following the root password gap, Apple had made a public statement and affirmation that it would audit development processes to prevent that this happens again. Well, that's hardly possible soon.
Apple will probably want to fix this latest vulnerability as soon as possible, so it's possible that even an interim update will happen.