There's a bug in macOS High Sierra that, if an administrator account is logged in, allows anyone to access Mac App Store settings even if they don't enter the correct password.
Joe Rossignol, reporting for MacRumors:
A bug report submitted on Open Radar this week has revealed a security flaw in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password.
It works on the current release version of macOS High Sierra, 10.13.2, but has already been fixed in the current beta version of macOS High Sierra, 10.13.3. (And it doesn't work in macOS Sierra 10.12.6 or earlier.)
It's a super dumb bug but not one that most users will need to worry about in the real world. (Though everyone should update to macOS 10.13.3 when it becomes available, just in case.)
But, it's a super dumb bug. And it's only one of several login related bugs that have plagued macOS High Sierra since release.
There's been some speculation about the timing of these authentication bugs coinciding with Apple's move to ARM-based security with the T1 chip in MacBook Pro and T2 in iMac Pro. Likely no one outside Apple knows whether it's that or something completely unrelated, or exactly why these bugs are happening and why they're happening now.
I don't think it matters. They simply can't keep happening. Why is interesting only in so far as figuring out how to stop them from happening again.