lets you type literally any username and password in order to unlock the Mac App Store panel in System Preferences. It’s probably not a big deal practically speaking—the panel is unlocked by default—but the fact that this issue exists at all is a worrying reminder that Apple isn’t prioritizing security like they used to.

使您可以键入任何用户名和密码，以便在“系统偏好设置”中解锁“ Mac App Store”面板。 实际上，这并不是什么大问题-面板默认情况下是未锁定的-但实际上存在此问题的事实令人担忧，提醒我们Apple并未像以往那样优先考虑安全性。

I get it: tech journalists tend to lose their mind when it comes to Apple. The slightest flaw is hyped up beyond belief, given a name ending in “gate,” and then forgotten about within a month. It’s a regular cycle at this point, and it makes it hard for readers to recognize actual problems.

我明白了：科技记者在谈到苹果时往往会失去理智。 给出了以“ gate”结尾的名字，丝毫的漏洞被夸大了，超出了人们的想象，然后在一个月内被遗忘了。 这是一个定期的周期，这使读者很难识别实际问题。

一点历史 (A Bit of History)

So let’s review quickly. Back in November, 2017, a macOS bug let anyone in System Preferences simply by typing “root” as the username and making up literally any password. Instead of denying you access, like a well designed system would, macOS High Sierra would just create a root account using whatever password you entered.

因此，让我们快速回顾一下。 早在2017年11月，一个macOS错误使任何人都在系统偏好设置中 ，只需输入“ root”作为用户名并输入任何密码即可。 macOS High Sierra不会像设计良好的系统那样拒绝您的访问，而只会使用您输入的任何密码创建一个根帐户 。

In addition to being mind numbingly insecure, this is bizarre behavior. Why in the world would making up a root password create a root account out of whole cloth? What is happening in the backend that makes that possible?

除了麻木不安，这是奇怪的行为。 为什么世界上会用root密码来创建一个root帐户呢？ 后端发生了什么，这使之成为可能？

It’s hard to imagine, which is why this wasn’t a case of tech journalists exaggerating. It was really, really bad.

很难想象，这就是为什么这不是技术记者夸大其词的原因。 真的非常糟糕。

And the cleanup after that bug didn’t inspire much more confidence. Sure, Apple issued a patch that fixed the issue, but many users ended up reintroducing the problem if they installed the week-old 10.13.1 update after installing. Only with the release of 10.13.2 was the problem fully fixed, and that wasn’t until December, 2017.

而且在该错误之后进行的清理并没有激发更多的信心。 当然，苹果公司发布了可解决此问题的补丁程序，但是如果许多用户在安装后安装了一周的10.13.1更新，最终会重新引入该问题。 直到10.13.2版本才完全解决问题，直到2017年12月。

But at least that was the end of it. Right?

但这至少到此为止。 对？

最新问题 (The Latest Problem)

Not quite. It turns out there are more inexplicable security problems in System Preferences. You can re-create this one easily in 10.13.2 if you want to play along at home, so open a window and join me! Open System Preferences in an Administrator account, and then head to App Store. You’ll notice the lock at bottom-left is open by default, meaning you’re free to change settings.

不完全的。 事实证明，“系统偏好设置”中存在更多莫名其妙的安全性问题。 如果您想在家玩，可以在10.13.2中轻松地重新创建一个，所以打开一个窗口加入我吧！ 在管理员帐户中打开“系统偏好设置”，然后转到App Store。 您会注意到左下角的锁默认情况下处于打开状态，这意味着您可以自由更改设置。

I’m not sure why the lock is there at all if it’s unlocked by default, but whatever. Click the lock to “secure” this panel, and then click it again to unlock it. Here’s the trick: you can type literally any password you want and the panel will unlock.

我不确定为什么默认情况下解锁的锁根本没有，但是无论如何。 单击锁定以“保护”此面板，然后再次单击以解锁。 诀窍是：您可以直接输入所需的任何密码，面板将解锁。

The same goes for the username: you can put anything you want in that field and the panel will unlock. I typed “Harry” as the username and “is dumb” as the password and it worked; so did “Justin” and “is awesome.”

用户名也是如此：您可以在该字段中输入任何所需内容，面板将解锁。 我输入“ Harry”作为用户名，输入“ is dumb”作为密码，它可以工作。 “ Justin”和“太棒了”。

Practically, this isn’t much of a problem: again, the panel in question isn’t locked down by default, and unlocking this panel does not give you access to any other locked panel.

实际上，这并不是什么大问题：同样，该面板默认情况下不会处于锁定状态，并且解锁该面板不会使您访问任何其他锁定的面板。

The problem is we don’t know why this is happening, and whether the bug that allows it may exist elsewhere. As with the earlier bug, it’s amazing no one caught this problem in testing, and it really makes you wonder how much you can trust macOS to keep your data locked down.

问题是我们不知道为什么会这样，以及导致它的错误是否可能存在于其他地方。 与早期的bug一样，令人惊讶的是没有人在测试中发现此问题，这确实使您想知道您有多能信任macOS来保持数据锁定。

We’re sure an update will patch this up, especially now that the media is making a fuss. But contrary to what you might think, I don’t like making a fuss. I’d rather things be locked down. Apple needs to step up their game on the security front, because stuff like this makes it seem like they’re not even paying attention.

我们确定会有更新来修补此问题，尤其是在媒体大惊小怪的情况下。 但是与您可能想的相反，我不喜欢大惊小怪。 我宁愿把事情锁定下来。 苹果需要在安全方面加强他们的游戏，因为这样的事情使得他们似乎根本不在意。

翻译自: