A new bug has been introduced with macOS High Sierra 10.13.2 (17C88) which allows any admin account to access the App Store preferences from the System Preferences application with an incorrect password. According to the Open Radar listing, the bug is not reproducible on High Sierra 10.13.1 nor can a non-admin account gain access.
The bug is reproducible by logging in as a local admin, opening App Store preferences from the System Preferences app, locking the padlock if it"s already unlocked and then unlocking again by typing in an incorrect password. If you"re on macOS High Sierra 10.13.2, any password will unlock the preferences.
In November, Apple had to patch a vulnerability that allowed access to the root superuser account with a blank password. At the time, Apple said in a statement:
“We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”
It doesn’t look as though any other password protected settings can be accessed with an incorrect password, and luckily none of the settings in the App Store preferences pane are too sensitive, meaning that it’s a lot less serious than the bug from November.
The issue has been fixed in the High Sierra 10.13.3 beta, but in the meantime you’ll want to make sure that you don’t leave yourself logged into an administrator account when the computer is unattended, and also, ensure that any users whom you don’t trust are on a standard account rather than an admin account.
Source: Mac Rumors