Last November 2017 Apple faced a very nasty bug on it’s macOS High Sierra operating system, which allows anyone with physical access to a Mac to gain system administrator or root access without having to input any password. Security researchers are not giving the Apple Devs a good time, just 3 days ago another bug was discovered this time the AppStore preferences again accepts an empty password or any password.
The AppStore Preferences in System Preferences can be unlocked by a local admin with any bogus password.
Steps to Reproduce:
1) Log in as a local admin
2) Open App Store Prefpane from the System Preferences
3) Lock the padlock if it is already unlocked
4) Click the lock to unlock it
5) Enter any bogus password or empty password.