exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Mac OS X Mail Parental Controls Vulnerability

Mac OS X Mail Parental Controls Vulnerability
Posted Sep 1, 2010
Authored by Jonathan Kamens

The parental controls built into the Mac OS X Mail client can be easily bypassed by anyone who knows the email address of the child and his/her parent.

tags | advisory, bypass
systems | apple, osx
SHA-256 | 2cea0d1de0854cd9bb8d264fbcd69773f9c4ef72a630259446ef50733e64ab09

Mac OS X Mail Parental Controls Vulnerability

Change Mirror Download
Mac OS X Mail parental controls vulnerability

The parental controls built into the Mac OS X Mail client can be easily bypassed by anyone who knows the email address of the child and his/her parent. The Mail client can be fooled into adding any address to the child’s whitelist (i.e., the list of addresses with whom the child is allowed to correspond), as if the parent had approved the address, without his/her knowledge or consent. This vulnerability can be taken advantage of by the child or by any third party anywhere on the Internet.

I first notified Apple about this vulnerability on July 23, 2010. In response, Apple claimed that parental controls are only intended for young children and that the level of security they provide is adequate for that purpose. This response is off the mark for two reasons:

1. The documentation that comes with the Mac says nothing about the controls being intended only for young children, nor does it suggest that a tech-savvy child could bypass them.
2. This response ignores the fact that the controls are also intended to keep unwanted outsiders from corresponding with children, and even if the children can’t figure out how to bypass them, the outsiders certainly can.

Apple and I have exchanged several rounds of email since their initial response. They have created an issue in their bug-tracking system, and they claim that they are taking it seriously and intend to fix it. However, they have refused to assign a CVE ID and will not give any sort of time-line for disclosure or patching.

A CVE ID is supposed to be assigned to an issue as soon as it is known to the public. The point of CVE IDs is to allow all public discussion of a vulnerability to refer to a common identifier which ties the discussion together. Since Apple is a CVE CNA, they are responsible for assigning CVE IDs to vulnerabilities in Apple software. Apple told me they won’t assign a CVE ID until they release a fix. They should have assigned a CVE ID when I asked them to do so. According to Mitre, “If the affected software vendor is a CNA, then the researcher must obtain the CVE-ID from the vendor,” which means that Apple’s refusal to issue a CVE ID has prevented me from including one in this initial disclosure.

On August 1, 2010, I reported this vulnerability to CERT. They responded, “… unfortunately, because of our current case load we will not be able to handle the coordination or disclosure,” and further instructed, “Please continue to work with the vendor directly.” I am disclosing the vulnerability (albeit not the details of how to exploit it) here because I am dissatisfied with Apple’s response and believe that their refusal to assign a CVE ID or disclose the vulnerability is unacceptable.
Getting the child’s and parent’s email addresses

As noted above, all that is necessary to take advantage of this vulnerability is for the attacker to know the addresses of the child whose whitelist s/he wishes to compromise and his/her parent.

It might seem implausible that a third party would be able to obtain a child’s and his/her parent’s email addresses while at the same time not being someone whom the parent wishes to allow to correspond with the child. Nevertheless, there are numerous scenarios in which this might occur. For example:

* An unwary child may simply reveal the information, e.g., in a chat room.
* Some Web sites intended for children actually require the child to provide their own and a parent’s addresses.
* A non-custodial parent may know the child’s and other parent’s email addresses while not being authorized to exchange email directly with the child.

Workarounds until the vulnerability is fixed

Parents utilizing Mac Mail parental controls can protect themselves against this vulnerability as follows:

1. Disable parental notification of unapproved addresses by removing your email address from the notification field for your child in the parental controls application. If you do this, then your child will need to ask you directly to add new addresses to his/her whitelist, and you will need to add them manually through the application.
2. Review your child’s whitelist in the parental controls application on a regular basis to confirm that no unrecognized addresses have been added to it.


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close