Multiple Business Logic Errors in APPLE music/TV allowing bypass of parental controls

Hi techies, from this side of the screen ! Lets’ start the write-up without wasting the golden time !

So, Apple uses parental controls to stop child’s/teens from accessing the inappropriate content, it uses a pin which is only know to parent to access the inappropriate content, so if there is any easy method which could allow teens to bypass this parental controls in order to view the locked content , then ? As easy as anyone could do it , And i found multiple ways to bypass the parental controls, so lets take a look into it !

I found a logic flow which is wired, When parent applies the parental lock in apple music website it only restricts the content in the music.apple.com, So think as you’re an parent of a child who wants to lock inappropriate content, you just apply parental lock and done ! but in apple it’s not like that, If a parent applies the parental lock to music.apple.com it only restricts the content on the website which is not known to most of the users not even me, so now a child can use apple music/tv application to view the inappropriate content even the parental control is enabled in apple music web, So i reported the same thing to apple on 14–3–24 and after a day i received a response saying as it is working as intended , and this time they were right ! as i missed a line on their webpage saying : “These content restrictions apply to Apple TV and Apple Music on the web. They do not restrict playback on other devices”

The root cause of this is that apple is using different controls for apple music app and apple music web, which works independently, So if you set parental controls in apple music web[music.apple.com] ,then in apple music app the parental control is not applied at all.

2. Bypassing the parental controls via mobile app

Now, I started to investigate parental controls in mobile app, and at first i got nothing, and though of giving it up, but after digging into the traffic of apple music i found out that, if we change settings in apple music app it reflects in apple music website, so what ? It could allow an teen to change settings of apple music from the application without any type of authentication ,So if there is parental controls enabled in apple music website, a child can open apple music application change the settings and access the inappropriate content which proves the statement given by the apple as false, even if the text line on apple’s parental control settings page says : “These content restrictions apply to Apple TV and Apple Music on the web. They do not restrict playback on other devices”, then after one more day, i created a fully fledged report to share with apple, but when i tried to create a POC video the flow is gone ! the changes in apple music app was not reflected to apple music site at all or maybe i missed the flow! a bummer , YES !

3. Now lets target the line : “These content restrictions apply to Apple TV and Apple Music on the web. They do not restrict playback on other devices”

Now i though that from the music.apple.com it is working as intended, as it shows users the line saying it will only restrict the content on music.apple.com and not other devices, Now i checked the flow of parental controls in apple music application, and there is no line or info which could inform user that the parental control settings applied on apple music app only restricts the content on apple music app, So as a parent you will set parental controls and simply think your child cannot access the restricted content, as on apple music app and there’s no warning for you that the parental control will only work in app and not in web, A child can access the web apple music and can see the restricted content [Its a simple bypass ]! Now what ? as apple declined my report on the basis of a simple line, now i can report this to them , And guess what i got reply saying this [A huge disappointment]:

Here is the one good POC video i recorded if you want to take a look at : https://youtu.be/WYgmtI0TUpE

They want me to report it as a feedback , Really ?

4. Adding One more bug to the same flow of attacks 😵

Now i found a crystal clear root cause and very easy reproduction steps, lets take a look into it, So assume as a parent you enabled parental control settings in apple music app, and a teen child want to view the restricted content, he can simply logout from the application and login again and boom the parental controls is gone from the application , Similar way he can uninstall the apple music application and install it again or just clear the app data from settings[Android device] and booom the parental controls is gone ,So now again it looks like a new bug, Ain’t it ? the root cause of this is apple music app is using client side checks to see if the user is allowed to view the explicit content or not, Here is the flow of it :

Root cause of this : the app is checking the parental controls on client side, just by TRUE or FALSE condition, which can be bypassed just by logging out and logging in again into the app very easily.

I reported this 4th thing with proper attack scenarios to apple and look at their response :

They kept saying i should report this to apple as a feedback , i was really not expecting the reply , WTH apple😥 ???? IT really disappointed me a lot after spending hefty amount of time in it ! i really do not agree with this decision of apple, what do you guys think ? i wont mind if you guys comment your thoughts on the decision of apple, so they could know that its not a feedback 😂 and a bug !

And they also said something cool look at it : As per apple “Parental controls are not a security feature” cool yay !😂

At the end, i though of leaving this issue as it is, and disclosing it publicly so everyone can know about it !

Timeline :

Reported the initial discovery : 14/3/24

Rejected as WAI : 14/3/24

Reported a working bug : 16/3/24

Rejected as they want me to report it as feedback : 16/3/24

Reported one more bug with different root cause : 18/4/24

Rejected as they want me to report it as feedback : 19/4/24

Disclosure : 14/5/24

You can follow me on twitter[X] here : __Sam0_0 , I’ll keep posting more write-up here !

Thanks !