Apple Apologizes for Error That Lets Bogus Passwords Unlock App Store Preferences on macOS High Sierra

REUTERS/Beck DiefenbachApple CEO Tim Cook speaks under a graphic of the new MacBook Pro during an Apple media event in Cupertino, California, U.S. October 27, 2016.

Apple immediately recognized and apologized for a recently discovered weakness in its App Store's password security on macOS High Sierra.

Mac Rumors spotted a report on Open Radar titled "[App Store] Preferences lock is a lie" that talked of how a "bogus password" could actually unlock an App Store Preferences tab.

In the experiment, the Open Radar report used a computer running on macOS 10.13.2 with build number 17C88.

The error will only be noticeable when the computer is running on an active local admin account. To test if the device is affected with this issue, macOS users can proceed to the App Store Preferences panel, click the lock icon and enter any incorrect password. Instead of denying access, the report claimed that the wrong credentials would actually work.

Mac Rumors tried to reproduce the error and confirmed that it had worked on the computer they used, but only when they signed into a local admin account.

The same report added that the error did not seem to affect MacBooks with macOS Sierra version 10.12.6 or earlier.

Probably learning from the backlash it recently faced from reports that it was throttling the CPU performances of iPhones with older batteries, Apple immediately responded to the discovery that any password could be used to access the App Store's System Preferences when signed on to a local admin account.

"We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again," Apple said.

Meanwhile, TechCrunch suggested that the recently found error was not as serious as another login bug earlier discovered on a macOS. Also, based on the reports, it appears that an attacker who wants to access an App Store user account will have to physically operate the affected device. The perpetrator would also need to have access to the MacBook's local admin profile.

Apple has reportedly issued a fix for this error in the macOS 13.3.3. However, this version is still in its beta stage and has yet to be released in full this month.