Mac App Store overwrites Applications with matching bundle IDs even if never purchased on AppStore!
| Originator: | dan | ||
| Number: | rdar://45170769 | Date Originated: | 10/10/2018 |
| Status: | Open | Resolved: | No |
| Product: | macOS + SDK | Product Version: | All |
| Classification: | Serious Bug | Reproducible: | Always |
The Mac App Store does not check to see if a user purchased or downloaded software when performing updates. Steps to Reproduce: - Create an application with the same bundle ID as any app on the App Store - (Make sure you are signed into your MAS account) - App Store will *automatically* update the software as long as the bundle ID matches and version is < AppStore version... even if the user NEVER downloaded it from the AppStore. This is poor practice and could lead to a serious hack! Imagine someone could get software for free using this kind of technique, by spoofing a bundle ID. I'm testing this out right now. Expected Results: - App Store should CONFIRM Actual Results: - Software gets overridden Version/Build: - All known versions of MAS, including 10.14 Configuration: - 10.14 See my earlier (ignored) bug report of this issue. 34051868 (not posted here; from August 2017).
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!