Mac exploit lets you change App Store preferences with any password
Apple is promising to prevent missteps like this from happening again.
Apple's Mac password troubles aren't over yet. Users have discovered that it's possible to change Mac App Store preferences in macOS High Sierra using any password. You do need to login as an administrator, which is supposed to unlock preferences, but you're allowed to use any password you like if the preference is locked and you need to get access again. Other sections still require a correct password.
We've asked Apple for comment on the apparent bug and will let you know if it can provide a response, although we've learned that this shouldn't expose users and that it should be fixed with the upcoming macOS 10.13.3 update (the fix is already present in the beta).
It's not going to be a serious issue when an intruder needs admin-level access, but it could be a concern if an attacker already has those privileges. They could loosen your password restrictions for downloads (say, to go on a shopping spree without your consent) or force automatic updates if they know a newer app or OS release is vulnerable. And of course, this illustrates that the company still has avoidable security hiccups to address.