Mac OS X Mail parental controls vulnerability

The parental controls built into the Mac OS X Mail client can be easily bypassed by anyone who knows the email address of the child and his/her parent. The Mail client can be fooled into adding any address to the child’s whitelist (i.e., the list of addresses with whom the child is allowed to correspond), as if the parent had approved the address, without his/her knowledge or consent. This vulnerability can be taken advantage of by the child or by any third party anywhere on the Internet.

I first notified Apple about this vulnerability on July 23, 2010. In response, Apple claimed that parental controls are only intended for young children and that the level of security they provide is adequate for that purpose. This response is off the mark for two reasons:

   1. The documentation that comes with the Mac says nothing about the controls being intended only for young children, nor does it suggest that a tech-savvy child could bypass them.
   2. This response ignores the fact that the controls are also intended to keep unwanted outsiders from corresponding with children, and even if the children can’t figure out how to bypass them, the outsiders certainly can.

Apple and I have exchanged several rounds of email since their initial response. They have created an issue in their bug-tracking system, and they claim that they are taking it seriously and intend to fix it. However, they have refused to assign a CVE ID and will not give any sort of time-line for disclosure or patching.

A CVE ID is supposed to be assigned to an issue as soon as it is known to the public. The point of CVE IDs is to allow all public discussion of a vulnerability to refer to a common identifier which ties the discussion together. Since Apple is a CVE CNA, they are responsible for assigning CVE IDs to vulnerabilities in Apple software. Apple told me they won’t assign a CVE ID until they release a fix. They should have assigned a CVE ID when I asked them to do so. According to Mitre, “If the affected software vendor is a CNA, then the researcher must obtain the CVE-ID from the vendor,” which means that Apple’s refusal to issue a CVE ID has prevented me from including one in this initial disclosure.

On August 1, 2010, I reported this vulnerability to CERT. They responded, “… unfortunately, because of our current case load we will not be able to handle the coordination or disclosure,” and further instructed, “Please continue to work with the vendor directly.” I am disclosing the vulnerability (albeit not the details of how to exploit it) here because I am dissatisfied with Apple’s response and believe that their refusal to assign a CVE ID or disclose the vulnerability is unacceptable.
Getting the child’s and parent’s email addresses

As noted above, all that is necessary to take advantage of this vulnerability is for the attacker to know the addresses of the child whose whitelist s/he wishes to compromise and his/her parent.

It might seem implausible that a third party would be able to obtain a child’s and his/her parent’s email addresses while at the same time not being someone whom the parent wishes to allow to correspond with the child. Nevertheless, there are numerous scenarios in which this might occur. For example:

    * An unwary child may simply reveal the information, e.g., in a chat room.
    * Some Web sites intended for children actually require the child to provide their own and a parent’s addresses.
    * A non-custodial parent may know the child’s and other parent’s email addresses while not being authorized to exchange email directly with the child.

Workarounds until the vulnerability is fixed

Parents utilizing Mac Mail parental controls can protect themselves against this vulnerability as follows:

   1. Disable parental notification of unapproved addresses by removing your email address from the notification field for your child in the parental controls application. If you do this, then your child will need to ask you directly to add new addresses to his/her whitelist, and you will need to add them manually through the application.
   2. Review your child’s whitelist in the parental controls application on a regular basis to confirm that no unrecognized addresses have been added to it.