Apple Will Finally Fix This Parental Control Bug from 2020
Toggle Dark Mode
It’s been over five years since Apple introduced Screen Time in iOS 12, and in that time, the parental control feature seems to have been plagued by more bugs than a bait store — or, as the Wall Street Journal’s Joanna Stern puts it, “more bugs than a soda spill on a summer’s day.”
Although Screen Time seemed like a wonderful idea on the surface, Apple has maintained it poorly over the years. When it works, it generally works well, but we’ve heard so many reports of it failing that it’s hard to recommend that parents rely on it — at least not without double- and triple-checking to make sure it’s operating properly on their kids’ devices.
For example, only a few months after Screen Time debuted, one of our readers pointed out that her child’s iPad was able to bypass content restrictions after being updated to iOS 12.2. We’ve also seen clever kids finding loopholes in Screen Time (including my then-nine-year-old daughter) and Downtime, the feature that shuts down access at bedtime or during homework time, failing to work as it should.
The WSJ’s Joanna Stern reported that one in 2023, but it’s another one I encountered personally; even after Apple said it was fixed in iOS 16.5, I was able to reproduce it in iOS 16.6 and the early iOS 17 betas.
Now, Stern has highlighted another serious bug in Screen Time that allows kids to bypass web content restrictions and access potentially dangerous websites. What’s worse is that Apple was told about this bug in 2020, yet it remains unfixed to this day.
The workaround is surprisingly simple, even if it’s not particularly well-known. Typing a special string of characters in the Safari browser’s address bar bypasses all parental control restrictions as if they didn’t exist.
I tried a number of Apple devices. With Screen Time enabled on iPads and iPhones running iOS/iPadOS 15, 16 and 17, I was able to visit porn sites, watch graphic, violent news footage on YouTube and Google “how to buy cocaine.”Joanna Stern
While Apple claims it takes Screen Time seriously, Stern says the reality is that “the system meant to protect Apple’s youngest users feels like an afterthought.
We take reports of issues regarding Screen Time very seriously and have been consistently making improvements to ensure users have the best experience. Our work is not done and we will continue to make updates in upcoming software releases.An Apple spokeswoman speaking with The Wall Street Journal
Apple notes that the latest iOS 17.5 update “includes substantial Screen Time fixes,” but it hasn’t yet fixed this bug that was disclosed by security researchers over three years ago.
The duo of Vienna-based researchers, Andreas Jägersberger and Ro Achterberg, discovered that “typing a string of characters into the Safari address bar in any Apple software — iOS, iPadOS and MacOS — would sidestep website restrictions set by Apple’s parental controls.”
They reported this to Apple as a security vulnerability in March 2021 but were rebuffed and told that it wasn’t a “security issue” and should be handled through Apple’s standard feedback tool instead.
Unsurprisingly, they didn’t hear anything back from the feedback tool, which has always been something of a black box. So, they tried Apple’s security team again in August of that year, who flatly told them: ”We do not see any actual security implications.”
Undaunted, the researchers continued to try to get Apple to appreciate the seriousness of the bug since it affected not only parental controls but also corporate security — the same technique could be used to bypass web filters set by management tools on devices issued to employees. Finally, after growing tired of talking to a brick wall, the pair decided it was time to reach out to the press and contacted Stern.
After three years of report submissions, which included documentation of a suggested fix, and contacting others in Apple security, Jägersberger and Achterberg felt the company wasn’t going to release a patch or pay them a bounty. So they contacted me.Joanna Stern
The character string remains a mystery, as Stern naturally declined to share it to prevent the flaw from being abused. However, she was able to reproduce the bug on everything from an iPhone to a MacBook Pro, running the latest versions of iOS and macOS.
After doing so, Stern reached out to Apple and got the response that had eluded Jägersberger and Achterberg. A spokeswoman confirmed that the company is “aware of an issue with an underlying web technology protocol for developers, which allows for a user to bypass web content restrictions.”
The Apple spokeswoman also said “a fix has been planned for the next software update.” However, we’re left wondering if such a fix was only planned after Stern’s communique was received. However, an Apple spokesman firmly stated that this flaw was a “software issue” and not a “security vulnerability” — a distinction Apple takes very seriously.
In all likelihood, Jägersberger’s and Achterberg’s report got lost in the bureaucratic shuffle that all big organizations are prone to. Apple’s Security Team focuses exclusively on “security vulnerabilities” — critical security flaws that could allow an external attacker to get at your data or do bad things to your device. It also pays potentially large bug bounties for people who submit information on these types of vulnerabilities, which is why it’s so strict on what qualifies as a security issue.
Hence, the researchers were directed to submit their report through the “proper” channels for software issues, but it was too easily ignored among the thousands of reports submitted through the feedback tool each day. The Apple spokeswoman told Stern that Apple is “committed to improving the process by which it receives and escalates bug reports,” but time will tell if that’s just PR-speak or if the company actually does something to ensure problems like these get the attention they deserve.
