Apple is fixing a years-old parental control bug that lets kids avoid web filters

For parents, it can feel like a no-brainer to let their kids have an iPad thanks to its built-in parental control feature, Screen Time. But the system is also undeniably buggy, as most parents will attest. Now, Apple is fixing one of the software’s worst bugs — an apparently obscure one that would let kids see the worst parts of the internet despite settings to stop that, reports Joanna Stern for The Wall Street Journal.

The bug goes like this: kids can circumvent content restrictions by entering a specific string of characters into Safari’s browser bar. Security researchers Andreas Jägersberger and Ro Achterberg reported this bug twice in 2021 and, both times, were told that it wasn’t a security flaw, Stern writes. She also notes that it doesn’t appear as though this particular bug has seen widespread use.

The researchers were apparently told repeatedly over three years that it wasn’t a security problem and were referred to Apple’s feedback tool for software bugs. But after they contacted Stern to report their findings and their struggle with Apple, the company told her there’s a fix coming in the next iOS software update. Stern writes that the company “maintains the flaw was a software issue, not a security vulnerability.” Well. At least it’s being fixed.

The story underscores that Apple’s parental control software remains woefully underserviced. Though it has that glossy Apple sheen, the feature is functionally hampered by bugs like those that Stern mentions: not receiving requests for more time, for instance, or an occasionally blank screen usage chart. These are the key features that make Screen Time useful. (Stern notes that Apple fixed several issues in recent software updates.)

What makes this worse is that Apple doesn’t have much competition, seemingly by design. It limited or removed third-party parental control app alternatives for its ecosystem in 2019 after it first introduced Screen Time in iOS 12. At the time, the company said that the apps were inappropriately taking advantage of its enterprise-focused mobile device management (MDM) profiles that enable control over company-issued iPhones. Apple forbid removed apps that were using the powerful management feature — a not unreasonable move considering the very real dangers that sort of access poses.

But using a third-party parental control app can be far more involved than using the built-in system. For instance, setting up an app that actually offers anything close to Screen Time integration takes a lot of hoop-jumping: for instance, in the Qustodio app, I needed to download an app for my phone and create an account. Then, I had to get a separate app for my kids’ device, log in to it with the account I made, then download and install an MDM profile. To do this with a second device, I’d have to repeat those steps all over again. An official API would have made this easier, and this procedure, I’d imagine, keeps a lot of parents from trying out other apps, leaving Apple effectively without competition — and parents with a broken experience.

Apple did not immediately respond to a request for comment.