'[Full-disclosure] Mac OS X Mail parental controls vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Mac OS X Mail parental controls vulnerability
From:       "Jonathan Kamens" <jik () kamens ! us>
Date:       2010-08-31 16:34:09
Message-ID: 003001cb492a$571f8a50$055e9ef0$ () us
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


The parental controls built into the Mac OS X Mail client can be easily
bypassed by anyone who knows the email address of the child and his/her
parent. The Mail client can be fooled into adding any address to the child's
whitelist (i.e., the list of addresses with whom the child is allowed to
correspond), as if the parent had approved the address, without his/her
knowledge or consent. This vulnerability can be taken advantage of by the
child or by any third party anywhere on the Internet.

 

I have reported this vulnerability to Apple, and they have declined to
assign a CVE ID for it, disclose it to the public, or indicate a time-line
for when it will be disclosed or fixed.

 

For more information:

 

http://blog.kamens.us/2010/08/03/mac-os-x-mail-parental-controls-vulnerabili
ty/ 

 


[Attachment #5 (text/html)]

<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
	{mso-style-priority:99;
	mso-style-link:"Balloon Text Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:8.0pt;
	font-family:"Tahoma","sans-serif";}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
span.BalloonTextChar
	{mso-style-name:"Balloon Text Char";
	mso-style-priority:99;
	mso-style-link:"Balloon Text";
	font-family:"Tahoma","sans-serif";}
.MsoChpDefault
	{mso-style-type:export-only;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple>

<div class=WordSection1>

<p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>The
parental controls built into the Mac OS X Mail client can be easily bypassed by
anyone who knows the email address of the child and his/her parent. The Mail
client can be fooled into adding any address to the child&#8217;s whitelist
(i.e., the list of addresses with whom the child is allowed to correspond), as
if the parent had approved the address, without his/her knowledge or consent.
This vulnerability can be taken advantage of by the child or by any third party
anywhere on the Internet.<o:p></o:p></span></p>

<p class=MsoNormal><span \
style='font-family:"Calibri","sans-serif"'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>I have
reported this vulnerability to Apple, and they have declined to assign a CVE ID
for it, disclose it to the public, or indicate a time-line for when it will be
disclosed or fixed.<o:p></o:p></span></p>

<p class=MsoNormal><span \
style='font-family:"Calibri","sans-serif"'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>For more
information:<o:p></o:p></span></p>

<p class=MsoNormal><span \
style='font-family:"Calibri","sans-serif"'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'><a
href="http://blog.kamens.us/2010/08/03/mac-os-x-mail-parental-controls-vulnerability/">http://blog.kamens.us/2010/08/03/mac-os-x-mail-parental-controls-vulnerability/</a>
 <o:p></o:p></span></p>

<p class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p>&nbsp;</o:p></span></p>

</div>

</body>

</html>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic