Mac OS X Mail parental controls vulnerability

By | August 3, 2010

The parental controls built into the Mac OS X Mail client can be easily bypassed by anyone who knows the email address of the child and his/her parent. The Mail client can be fooled into adding any address to the child’s whitelist (i.e., the list of addresses with whom the child is allowed to correspond), as if the parent had approved the address, without his/her knowledge or consent. This vulnerability can be taken advantage of by the child or by any third party anywhere on the Internet.

I first notified Apple about this vulnerability on July 23, 2010. In response, Apple claimed that parental controls are only intended for young children and that the level of security they provide is adequate for that purpose. This response is off the mark for two reasons:

  1. The documentation that comes with the Mac says nothing about the controls being intended only for young children, nor does it suggest that a tech-savvy child could bypass them.
  2. This response ignores the fact that the controls are also intended to keep unwanted outsiders from corresponding with children, and even if the children can’t figure out how to bypass them, the outsiders certainly can.

Apple and I have exchanged several rounds of email since their initial response. They have created an issue in their bug-tracking system, and they claim that they are taking it seriously and intend to fix it. However, they have refused to assign a CVE ID and will not give any sort of time-line for disclosure or patching.

A CVE ID is supposed to be assigned to an issue as soon as it is known to the public. The point of CVE IDs is to allow all public discussion of a vulnerability to refer to a common identifier which ties the discussion together. Since Apple is a CVE CNA, they are responsible for assigning CVE IDs to vulnerabilities in Apple software. Apple told me they won’t assign a CVE ID until they release a fix. They should have assigned a CVE ID when I asked them to do so. According to Mitre, “If the affected software vendor is a CNA, then the researcher must obtain the CVE-ID from the vendor,” which means that Apple’s refusal to issue a CVE ID has prevented me from including one in this initial disclosure.

On August 1, 2010, I reported this vulnerability to CERT. They responded, “… unfortunately, because of our current case load we will not be able to handle the coordination or disclosure,” and further instructed, “Please continue to work with the vendor directly.” I am disclosing the vulnerability (albeit not the details of how to exploit it) here because I am dissatisfied with Apple’s response and believe that their refusal to assign a CVE ID or disclose the vulnerability is unacceptable.

Getting the child’s and parent’s email addresses

As noted above, all that is necessary to take advantage of this vulnerability is for the attacker to know the addresses of the child whose whitelist s/he wishes to compromise and his/her parent.

It might seem implausible that a third party would be able to obtain a child’s and his/her parent’s email addresses while at the same time not being someone whom the parent wishes to allow to correspond with the child. Nevertheless, there are numerous scenarios in which this might occur. For example:

  • An unwary child may simply reveal the information, e.g., in a chat room.
  • Some Web sites intended for children actually require the child to provide their own and a parent’s addresses.
  • A non-custodial parent may know the child’s and other parent’s email addresses while not being authorized to exchange email directly with the child.

Workarounds until the vulnerability is fixed

Parents utilizing Mac Mail parental controls can protect themselves against this vulnerability as follows:

  1. Disable parental notification of unapproved addresses by removing your email address from the notification field for your child in the parental controls application. If you do this, then your child will need to ask you directly to add new addresses to his/her whitelist, and you will need to add them manually through the application.
  2. Review your child’s whitelist in the parental controls application on a regular basis to confirm that no unrecognized addresses have been added to it.
Print Friendly, PDF & Email

14 thoughts on “Mac OS X Mail parental controls vulnerability

  1. Vera Schafer

    Yesterday I created a profile for my 6th grader granddaughter and authorized a few emails of family members. Then I asked my daughter to reply using her work email (which was not included in my list) and it simply got delivered. No hacking or anything. It simply went through! It’s so disappointing because I really want to use this type of communication as an added tool to encourage/improve her reading/writing skills…

  2. Mark Abajian

    Thank you for pursuing this with Apple. I’ve been disappointed in their “Parental Controls” for several years now.

    Another major failing is that parental controls set for OS X Mail do not propagate to the MobileMe online mail client. If my child reads his/her mail on using their MobileMe “Family Pack” sub-account, the parental controls set in OS X are bypassed.

  3. Dominik Hoffmann

    I, too have found this particular functionality of Parental Controls to be buggy.

    I disagree with the poster who says that we should just educate our children about the dangers of going online. First, we don’t want to broach subjects we couldn’t appropriately discuss at their level of maturity. Second, in their preteen years many children don’t possess the technical expertise to bypass security measures (e.g., my children wouldn’t have a clue about how to install Thunderbird as an alternative to Mail). Third, they might not have the experience to distinguish what is harmless from what is dangerous.

  4. Pingback: Plaats hier software gerelateerd nieuws! - Page 24

  5. RichieB

    I agree with Apple that if an individual already knows the child and parent E-mail addresses. the risk posed by circumventing the parental controls is medium at best. However, the approval process seems flawed (does it rely on SMTP headers?) and should be fixed.

    Parents however should realize that these type of parental controls are (and always will be) weak. Instead of limiting your children’s online experience, educate them about the dangers of communicating with strangers (in general, not only online) and disclosing private information. This way they will become more responsible netizens that will be able to take care of themselves online.

    1. jik Post author

      @RichieB: I agree with pretty much everything you wrote. However, my major complaint is that if you’re going to offer a security-related feature, it’s your responsibility and obligation to make it secure. Where Apple failed unacceptably was in implementing a laughably insecure “security” feature.

  6. David

    Good luck with this. Unfortunately I found the whole Parental
    Controls system to be buggy and cumbersome to the point where it was useless, so had to remove it from my son’s account. I think it will be a while before it’s deemed worthy of a rewrite.

  7. Commonsensicus

    You shouldn’t refer to this bug as a “vulnerability” or an “exploit”. All it allows you to do is send email to someone whose email address you already know. That’s not terribly surprising, really. Now, if this bug allowed the attacker to actually execute code on the victim’s machine, you could call it an “exploit”; but just being able to hold an email conversation with the victim isn’t a bad thing.

    For CVE, a vulnerability is a state in a computing system (or set of systems) that either:

    * allows an attacker to execute commands as another user
    * allows an attacker to access data that is contrary to the specified access restrictions for that data
    * allows an attacker to pose as another entity
    * allows an attacker to conduct a denial of service

    This is pretty clear from MITRE’s website, which you seem to be fond of, so it’s surprising that you’re making a big deal about it.

    1. jik Post author

      I respectfully disagree.

      The parental controls impose a security restriction, i.e., a restriction on the entities with whom a user is allowed to exchange email. This vulnerability allows that restriction to be bypassed, which is to my mind makes it applicable to both the second and third points you listed.

      I’m making a big deal out of it because it is a big deal. Parents are led by Apple to believe that the parental controls will prevent their children from being able to correspond with strangers on the Internet, which is a huge safety concern, when in fact that they will not.

  8. Sabahattin Gucukoglu

    “You may be right, but I’m doing my best to try all other potential channels before resorting to that.”

    Join the club, mate. And I hope your will is stronger than mine. My issue got a CVE but still (after nearly a year) isn’t fixed. I’m not clear whether Apple motivated the CVE, or full-disclosure/bugtraq.


  9. Firedrake

    The only thing that will make Apple fix the problem is public release of the full details of how it can be exploited.

    1. jik Post author

      The only thing that will make Apple fix the problem is public release of the full details of how it can be exploited.

      You may be right, but I’m doing my best to try all other potential channels before resorting to that.

  10. Ask Bjørn Hansen

    I don’t think Apple’s response was so off the mark.

    Email doesn’t have security; end of story.

    The unwanted emailer could just as well just forge the parents email address when sending the mail in the first place (sure; they couldn’t get a response I suppose but …)

    1. jik Post author

      Email doesn’t have security; end of story.

      You know that, and I know that, but most of the people using parental controls on the Mac don’t know that, and Apple does nothing to disabuse them of the notion that the provided parental controls are secure. Exactly the opposite, in fact — Apple leads the user to believe that they are secure when they are not.

      The unwanted emailer could just as well just forge the parents email address when sending the mail in the first place (sure; they couldn’t get a response I suppose but …)

      Your “I suppose but…” is the whole point of the vulnerability. It allows users supposedly protected by parental controls to bypass them and participate in an ongoing correspondence with people they’re not supposed to be corresponding with, which is the biggest threat the parental controls are intended to protect against. “Drive-by emails” are also a threat, but a much smaller one, when it comes to predatory behavior against children on the Internet.


Leave a Reply

Your email address will not be published. Required fields are marked *