How to disable the captive portal window in Mac OS Lion.
Written by @notdan
** TO SKIP TO THE STEPS ON DISABLING THE CAPTIVE PORTAL, JUST SCROLL DOWN TO STEPS TO DISABLE FUNCTION **
--[ ISSUE ]--
Mac OS X Lion (10.7.4+) phones home after negotiating a network connection without prompting the user, or allowing options to be configured.
--[ DETAILS ]--
Once Mac OS X detects an active network connection, a subsystem is activated that phones home to Apple's servers in order to test whether network has an internet connection that is behind a Captive Portal - Such as a hotel's captive portal. If a captive portal is detected, the Safari web browser is launched and a window loads the captive portal in order to prompt the user for credentials, credit card numbers, acceptance of an EULA, or any other means required to activate full internet access on the network.
--[ RISKS THIS FEATURE POSES TO USERS ]--
- Safari Application is launched without user consent
- Theft of credit card data, user credentials, and other information can easily be accomplished by means of a false captive portal.
- HTML injection, Cross Site Scripting Attacks (XSS), and other malicious code can be introduced without user control or notice.
- Data leakage of the user's whereabouts (via IP address geolocation, etc) is sent to Apple servers without user knowledge.
- Please see this article on Hijacking OS X Lion Captive Portal Feature.
--[ RECOMMENDATIONS ]--
From a security and privacy perspective, it is highly recommended that this feature be disabled on your machine.
--[ REMEDIATION ]--
As of writing this, I have found only one method of disabling this feature.
If you have other more elegant ways of disabling the captive portal system, please let me know.
--[ STEPS TO DISABLE FUNCTION ]--
Please note, this is not supported by Apple and I take no responsibility for you messing this up. If you're not comfortable with Terminal, chances are you probably don't care about this anyways ;) On the off chance you ARE still interested but nervous about Terminal commands, please seek some assistance.
1.) Open Terminal Application
2.) sudo su - [Enter your password]
3.) Execute the following 2 commands exactly as written.
cp Settings.plist Settings.plist.orig;cat Settings.plist.orig | sed s/\.apple\.com/\.localhost/g > Settings.plist
These commands will make a backup of your Settings.plist in case you want to restore it. The newly modified Settings.plist basically just replaces all of the servers your machine attempts to phone home to (like www.apple.com or attwifi.apple.com) with entries like www.localhost/whatever instead of www.apple.com. It's not extremely pretty, but it works. Quite honestly you could probably just null the whole file and make it immutable, but I haven't tested it so I can't in good faith recommend it at the moment.
With your new "localhost" servers, you will no longer have Safari automatically opening when connecting to networks.
--[ DETAILS OF FINDING THIS ON YOUR OWN ]--
Within the Console Logs, the following can be observed when connecting to a known "Captive" Wifi access point:
11/30/11 1:00:10.826 PM UserEventAgent: CaptiveNetworkSupport:wispr_detect_redirect_async:424 user-agent:"CaptiveNetworkSupport-173 wispr" url:"http://www.apple.com/library/test/success.html"
A search of the filesystem for 'captivenetwork' reveals the following directory and file:
--[ FINAL NOTES ]--
- The setting changes DO NOT survive certain Apple updates, especially those dealing with "Apple Airport" Updates. You may need to repeat this process from time to time.
- The setting changes do not harm or interfere with networking
- Hopefully Apple will remove this function. It's completely useless.
If you liked this article, or especially if you hate it, hit me up!
Q: Why does your site/blog look like dog shit?
A: I don't give a fuck and I wrote this in vi.
Q: What if I break my Mac by using your instructions?
A: Please contact me so that I can laugh at your misfortune.
Q: Will this break things?
A: Probably not.
Q: I have a better solution, yours is completely stupid and reckless.
A: That isn't a goddamn question.
@notdan on twitters
or emailz email@example.com