The good news is that this bug appears to be limited to the App Store preference page as the padlock does not unlock other sections within System Preferences, so user accounts and other settings can't be changed.
Assuming the attacker would be able to gain such access, they would still only be able to change the user's preferences in the App Store. You do need to login as an administrator, which is supposed to unlock preferences, but you're allowed to use any password you like if the preference is locked and you need to get access again. Flipping those settings could be used in conjunction with another attack to ensure a system wasn't patched to close a security hole, though local access or at least administrator access from a remote location are required.
Coming soon after a previous "root user" password flaw discovered in December, as well as the Meltdown and Spectre chip flaws, the timing is likely to shake consumer confidence, however.
'Let me off this boat': Cruise passengers terrified after 'Bomb Cyclone' hits
They were heading to NY from a Bahamas vacation when they sailed right into the fierce winter storm that battered the East Coast. This was the worst moment of my life", said Karoline Ross, speaking exclusively with CBS2's Carolyn Gusoff.
Enter any bogus password you like and the system will grant you access. If the bug exists on your computer, you can put in any password and the padlock will unlock regardless.
'IT JUST WORKS' Apple fans have screamed for years at PC and Android users, extolling the virtues of Cupertino's slick software development over Windows' open nature. Macrumors states that it can not reproduce the error on the beta versions of macOS 10.13.3, suggesting it'll be fixed in an upcoming release.
The bug report highlighted that this new discovery signified another embarrassing flaw in password-based issues for Apple. That bug allowed users to log into a system by typing "root" for a login, then hitting enter for a login attempt several times in a row. Our customers deserve better. There's no current workaround to this issue, so the only real option is to wait for Apple to provide a solution.