Jun 06, 2024 17:00:00

It turns out that Apple has been ignoring reports of a bug that allows children to access pornographic sites by circumventing parental controls for three years

Apple offers '

parental controls ' on devices such as iPhones and iPads to prevent children from accessing pornographic and violent websites. However, this parental control has a bug that allows users to access websites that should have been prohibited, and even though researchers have been reporting the problem since 2021, Apple has not responded and has been silent, The Wall Street Journal reported.

How Broken Are Apple's Parental Controls? It Took 3 Years to Fix an X-Rated Loophole. - WSJ
https://www.wsj.com/tech/personal-tech/a-bug-allowed-kids-to-visit-x-rated-sites-apple-took-three-years-to-fix-it-17e5f65d

Apple's Screen Time parental controls are broken, and it feels like an afterthought for the company.

The latest example? Two security researchers have been reporting a bug to Apple since 2021 that lets kids visit blocked sites.

Only after I called did Apple say it would be… pic.twitter.com/dPfPzDOYcb

— Joanna Stern (@JoannaStern) June 5, 2024

iPhones and iPads have a Screen Time feature that tracks how much time your child spends on each app, and you can enable parental controls under Content & Privacy Restrictions.

However, Vienna-based security researcher Andreas Jägersberger discovered in 2020 that by opening the Safari browser on Apple's various operating systems (iOS, iPadOS, macOS) and entering a specific string in the address bar, it was possible to circumvent the website access restrictions set by parental controls. There was also a way to use device management software to circumvent the website blacklist set on smartphones and MacBooks in the company.

Jägersberger and his colleague Roe Achterberg reported the issue as a 'security vulnerability' to Apple's security team in March 2021. Apple has a program called ' Apple Security Bounty ' that pays rewards for reporting vulnerabilities in its products, and Jägersberger and his colleagues applied for this program.

The next day, Apple claimed the issue wasn't a security vulnerability and asked Jägersberger and his team to submit a report via their feedback tool. They did so, but there was no response from Apple and no sign that the issue would be fixed.

So Jägersberger and his team reported the issue again in August 2021, but Apple's security team said it 'did not see any real security impact' and did not respond to the report via the feedback tool. 'Apple rejected it without any understanding of the implications or severity of the issue, which was frustrating,' Achterberg said.

Jägersberger and his team feared that others would discover this vulnerability and spread it as a way to bypass parental controls on TikTok and YouTube, posing a danger to children and their families, but also a gateway for malicious attacks against companies, given that similar methods could be used to circumvent web filters on employee-loaned devices.

But despite the team's repeated reporting and revisions over the course of three years, Apple's security department showed no signs of addressing the vulnerabilities, so the pair contacted Joanna Stern, a reporter for The Wall Street Journal.

Stern actually enabled parental controls on an iPhone and iPad running iOS / iPadOS 15, 16, and 17, restricted access to adult websites, and then tried the method discovered by Jägersberger and others.

As a result, even though the adult website access restriction was indeed enabled, he was able to access pornographic sites, watch violent and graphic images on YouTube, and browse websites on Google that explained 'how to buy cocaine.' The same workaround also worked on Safari on a MacBook Pro. Stern said, 'All I had to do was enter a string of characters (which I won't write here to avoid misuse) and a web address.'

When Stern contacted Apple, a spokesperson said, 'We are aware of an issue in our underlying web technology protocols for developers that could allow for a circumvention of web content restrictions. We plan to fix this in our next software update,' a response that was completely different from that of Jaegersberger and others. In addition, they claimed, 'We take reports of issues with Screen Time very seriously and have consistently made improvements to ensure that users have the best experience.'

While acknowledging the existence of the problem, the spokesperson denied that it was a security vulnerability, insisting that it was merely a 'software issue. ' The spokesperson explained to Stern that the bug bounty program only covers 'security holes' that could allow attackers to access user data or take control of a device, and that the issue in question does not qualify as a security hole.

It has been pointed out that Apple's parental controls have a bug that allows screen time limits set via Family Sharing to be automatically removed.

Apple admits to Screen Time bug that lets kids use apps and games beyond parent-imposed time limits, but fix is difficult - GIGAZINE

In addition, according to Stern, problems such as 'Screen Time usage graphs not showing the correct time,' 'notices requesting approval for extending app usage time or new downloads are not received,' and 'applications that have been downloaded and then deleted can be re-downloaded without permission' have been reported. Apple has reportedly fixed several of the issues reported by Stern in iOS 17.5.

'Apple's systems for protecting its youngest users feel like an afterthought,' Stern said, calling on Apple to fix Screen Time and parental controls.