.png)
8 months ago
50 BOOK THIS SPACE FOR AD
ARTICLE ADHi,
Hope you guys are doing well, As always lets start into the bug, without wasting any time, as we all know parental control restricts childs/teens from accessing inappropriate content, so lets take a look into apple’s parental controls ,
HOW PARENTAL CONTROL WORKS IN APPLE :
1- Parent Enter parental pin to enable/change parental settings on the site
2- Pin goes to the apple servers, server generates base64 token and send it back to the parent
3- Parent uses the base64 token as authorization to change parental settings
Explanation of attack flow : The Bypass
Now, after some digging i found out that the base64 token which is used as authorization is made of dsid [A unique integer value for each apple id] and timestamp, Now we need dsis and timestamp to forge our own custom token, send it with an request and take control of parental controls as a child.
For that we will need dsid, So after digging into it for one more day i finally found out that, if we send a request to familyws.icloud.apple.com with a particular cookie and endpoint we can get dsid for our account, So for that we will need a cookie named “caw” which can be obtained from storage section of the browser as we are already logged into the account [But we have parental restricitions] now after obtaining the the cookie i made a request to this endpoint :
https://familyws.icloud.apple.com:443/api/family-members
Which responded with our account’s dsis , as currentDsid in response
Now, all we need is time-stamp, there is huge mess, after around 30 attempts i noticed the timestamp is acting weird and not allowing us to forge a valid token, Then i thought of bruteforcing it,and started to bruteforce the epoch timestamp on character by character as it was in millisecond format i ignored last 3–4 digits and started to focus on minutes time only, and at the end, after bruteforcing and some trail and error for few minutes i found that it allows max 3–4 minutes of variation in minutes from the time of which the parent last accessed [It means to any action which parent did such as changing seconds in that time] It was still a mystery that how it is allowing or declining access , But at the end i managed to forge a custom token to bypass the parental controls , I made a python based exploit to automate the whole attack which requires some cookies to work[It will not work now as it is fixed by apple] you can check it here : https://github.com/SAM0-0/APPLE-PARENTAL-BYPASS
poc : https://youtu.be/L2ZkFdbCpMo
Steps to reproduce :[This steps can be made easier on the actual attack ]
step-1 : Child gets restricted by parents for 18+ content
step-2 : Child uses the account’s cookie to obtain dsid from running python script-1
step-3 : Child runs the python script-2 and add’s his ctoke cookie from the browser, And the script bruteforces the coustom tokens untill it gets the valid one and once its done it provides option to remove the parental restriction, and child removes the restrcition.
The root cause :
The token which is used for changing settings of Parental Controls, Is guessable by anyone, Because it is made of timestamp and dsid, We can get the dsid of our account by logging into appleid.apple.com, Once we have that , we can simply guess the timestamp very easily, And more interesting thing is that, there is no rate limit on the endpoint which allows attackers to bruteforce the tokens and guess the right token to edit the Parental Controls, and once they guess the right token they can do anything as they want they can enable or disable the age restriction or change current pin even without knowing it, or change the recovery email too.
The response from apple is that they investigated this for nine months and at the end stated that it is a duplicate bug ! So sadly 0$ in rewards , I even investigated it further and apple applied a pretty good fix this time .
The Question : The four digit pin is bruteforcable ? Yes you are right i reported that as well, but it resulted in a duplicate as well, And it is way different than the bug we are covering right now !
The issue allowed us to bypass the parental control and its setting on any apple services including apple tv, music ,podcasts, and if we disable it on any service it will be disabled on every single other services as well, And i was able to alter recovery email, change or remove the parental controls from the accounts with minimal efforts as well, As we know if someone leaked this things to teens it could result in a huge mess for apple as things like this does not take alot of time to get in reach.
Time-line :
7 April 2023 — Reported the bug
7 July 2023 — Update ? — They’re investigating the report
14 Dec 2023 — Report closed by some error form their side and then fix applied on same day!
16 Jan 2024 — Duplicated
13 Mar 2024 — Disclosure
Follow me here for more write ups and any questions ! :)
Thanks.
Bengali (Bangladesh) · 
English (United States) ·