Mac OS X Mail parental controls vulnerability

["Jonathan Kamens" <jik () kamens us>]

The parental controls built into the Mac OS X Mail client can be easily
bypassed by anyone who knows the email address of the child and his/her
parent. The Mail client can be fooled into adding any address to the child's
whitelist (i.e., the list of addresses with whom the child is allowed to
correspond), as if the parent had approved the address, without his/her
knowledge or consent. This vulnerability can be taken advantage of by the
child or by any third party anywhere on the Internet.

 

I have reported this vulnerability to Apple, and they have declined to
assign a CVE ID for it, disclose it to the public, or indicate a time-line
for when it will be disclosed or fixed.

 

For more information:

 

http://blog.kamens.us/2010/08/03/mac-os-x-mail-parental-controls-vulnerabili
ty/ 

 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/