Apple has yet another password bug in macOS High Sierra. Users of macOS High Sierra 10.13.2 can unlock Setting > Mac App Store (MAS) using any string of text for a password, allowing anyone to change your MAS settings. Fortunately, Apple has confirmed that macOS High Sierra 10.13.3—which is in beta now—corrects the issue (via Macworld).
To test this yourself, go to Settings > Mac App Store. If your panel isn’t already locked, lock it by clicking the lock in the lower left corner. Once locked, click it again, enter your user name, and enter anything you want for a password. Click unlock, and there you have it.
In the example above, I was able to unlock my settings using a single character for a password. Note that my password is not a single character.
On its own, this password bug is nowhere near as bad as the root password bug in macOS High Sierra revealed late last year. There is no setting, for instance, that would allow you to make purchases on the MAS without a password. The closest thing is a setting allowing you to make purchases for 15 minutes after having already authorized a purchase via password.
But—and it kills me to say this—this unrelenting wave of security snafus from Apple is soul crushing. Quality Assurance seems to have vanished from a company that made its mark, in part, on having higher quality than everyone else. Apple is causing me to question the company’s ability to see to the small things, let alone the big things.
As noted above, Apple has already confirmed this issue is corrected in macOS High Sierra 10.13.3. This update should be released relatively soon.