Apple has promised to fix a longstanding iPhone, iPad, and Mac bug that let children bypass parental controls and visit adult websites.
In response to a Wall Street Journal story discussing the flaw with Screen Time, Apple said it took problem reports “very seriously” and would have a solution with the next round of software updates. The recent iOS 17.5 release included “substantial” Screen Time fixes, the company added.
Security researcher Andreas Jägersberger discovered the bug in 2020. Typing the right string of characters into the Safari address bar on any web-capable Apple product would bypass the Screen Time parental controls and let the user access any website.
Jägersberger and his teammate Ro Achterberg submitted the issue in March 2021 to take part in Apple’s security bug bounty program, but were told it was a general bug that should be submitted through the official feedback tool. They did, but never heard back and reached out to the Journal.
It’s not clear why Apple left the bug untouched for so long. It did say it was committed to improving its bug handling process, but maintained that researchers found a bug rather than a security hole.
The underlying concern is less the bug itself than what it enables. A bad actor could theoretically use the string to get to a normally-hidden website and use it to infect the device or conduct a phishing scam.
There are reports of other bugs in Screen Time, including ineffective app restrictions and a hiccup that lets kids abuse the “ask to buy” measure. It’s not certain how many of these missteps were fixed with iOS 17.5, but there’s pressure to have this addressed before the expected iPhone 16 series launch in the early fall.