On Tuesday, Apple released iOS 13.3, and one of its key new features was Communication Limits, which lets parents set limits on who their kids talk to or message with... in theory. Due to some bugs related to iCloud’s contact sync feature, it turns out the new privacy controls can be bypassed without much effort, which could let kids call and text people (or total strangers) they might not be allowed to communicate with, as found by CNBC.
Apple confirmed to CNBC that it’s working on fixes, but it’s not a good look for a company that prides itself on security and privacy, and especially when the bugs are in a feature designed in part to protect kids.
It seems there are a couple ways to bypass the Communication Limits — though they apparently only work if the phone’s contacts aren’t stored on iCloud. To demonstrate one method, CNBC configured Communication Limits so that an iPhone wasn’t supposed to be able to communicate with a number that wasn’t already in the phone’s address book.
When the user tapped on a text from an unknown number, a full-screen warning popped up that said the number was a restricted contact — but then the user just tapped the small “Add contact” text on that warning screen, added a name to the contact, saved the contact to the phone’s address book, and then the user could text the contact without issue.
Here’s CNBC’s GIF of that exploit in action:
CNBC also said that kids can get around Communication Limits restrictions by using Siri on an Apple Watch. Apparently, if you tell Siri to text or call any phone number, it will do so, even if that number isn’t in the address book of the phone to which the Apple Watch is paired.
Apple didn’t give CNBC a time frame on when these bugs would be fixed, but as a workaround, the company suggested changing your contacts syncing service to iCloud from another account you might already be using, such as your Gmail account.