The new party restriction feature can be bypassed if contacts are stored locally on the iPhone.

Apple has just released version 13.3 of its iOS operating system. Among the new features is a parental control function which limits the correspondents to whom children can speak or send messages. Alas, a bug allows circumventing this limit as shown in this CNBC video.

The bug comes from the synchronization of contacts with iCloud. If the contacts are not synchronized and are therefore just stored locally on the iPhone, a child can add a new correspondent and bypass parental controls. If he receives a call from an unknown number, he can then save the phone number in his address book, then use it for calls, send messages, or even FaceTime video communication.

CNBC also found that a child could use an Apple Watch and ask Siri to call or send a message to anyone, even if they’re not in the address book.

However, the bug is not exploitable if parents have activated the downtime, which restricts the use during certain times.

Apple is currently working on a fix but has not indicated when it will be available. In the meantime, the manufacturer advises parents to synchronize their children’s iPhone contacts with iCloud.