There's a newly discovered security hole in the current version of macOS High Sierra that allows anyone with access to your Mac to unlock your App Store System Preferences without your system password.
For now, however, the steps to reproduce the bug on administrative-level account are pretty easy, as outlined by a bug report on Open Radar.
Once logged in, users can manage a host of settings related to the App Store, including enabling or disabling automatic downloads and app updates, managing OS security updates, etc.
Aaron Lint, veep of research at infosec biz Arxan, claimed the trick can also be used to bypass the login requirements for some other settings panels as well, but not the important "Users and Groups" and "Security and Privacy" controls.
Assuming the attacker would be able to gain such access, they would still only be able to change the user's preferences in the App Store.
The bug report details that users can open up System Preferences and navigate to App Store settings.
With I Am Root still fresh in the memories of users and the recent hoopla over Meltdown and Spectre not yet died-down, this comes at a particularly unwelcome time. He writes in the summary section, 'The AppStore Preferences in System Preferences can be unlocked by a local admin with any bogus password'. Then click on the padlock again to unlock it and a prompt should pop up where you can enter your username and password.
The bug, we gather, is fixed in the latest macOS 10.13 beta releases, and will be addressed in the next official release, too.
'Our customers deserve better.
Apple has reportedly already fixed the bug in beta versions of the next macOS High Sierra update, which will be rolled out to the public in the coming weeks. "We are auditing our development processes to help prevent this from happening again".