Multiple vulnerabilities in a popular Android parental control app allow kids to bypass parental controls, allowing threat actors to install malware or steal sensitive data from flawed devices.
The app is called Parental Control – Kids Place, and it’s developed by a company called Kiddowares. It has over 5 million downloads on Google Play and offers a variety of parental controls, from monitoring and geolocation to internet restrictions and payment restrictions. Parents can also track the time their kids spend on the device and make sure they are safe from any malicious content.
The findings are outlined in a report by cybersecurity researcher SEC Consult, which now urges users to immediately update apps to the latest versions.
Now, researchers at SEC Consult have found that versions 3.8.49 and earlier are vulnerable to five flaws.
The first allows threat actors to intercept and decrypt user registration and login data, which means they can obtain sensitive information such as login credentials.
The second, tracked as CVE-2023-29079, allows for a cross-site scripting attack, which could be used by threat actors to inject malicious scripts into parents’ dashboards. The third, tracked as CVE-2023-29078, is a cross-site request forgery (CSRF) vulnerability, while the fourth allows attackers to send files of up to 10MB to a child’s device.
This one is particularly dangerous because the files are uploaded to an AWS S3 bucket, where they are not scanned and may contain malware. The fifth, tracked as CVE_2023-28153, allows children (or threat actors) to temporarily remove all usage restrictions. Parents won’t know this change happened unless they manually check the dashboard.
All versions prior to 3.8.50 are vulnerable, the researchers said, and urged users to update immediately. The patch was released on February 14, 2023.
pass: Beep computer (opens in a new tab)