Kids Place, the parental control app of the Kiddowares company, was found to have vulnerabilities that put its 5 million-plus users at risk.
The vulnerabilities were anything but minor — researchers at SEC Consult found that the vulnerabilities they exposed would have allowed hackers to steal user credentials, let children bypass parental controls without anyone knowing, and even attack users’ devices by uploading arbitrary files onto their devices. Threat actors could install all sorts of malware right onto your child’s devices.
The Kids Place app itself offers parental controls, geo monitoring, remote device access, and content blocking to help parents control what their kids are doing online. However, with the vulnerabilities that were found in various versions of the product (version 3.8.49 and older), it’s important to make sure that you quickly download the newest security update.
There were five main flaws that were found.
- User logins and passwords used a faulty encryption system that relied on old technology that was easy to decrypt by modern computers.
- Hackers could manipulate the customizable name feature to trigger a specific payload on the parent web dashboard, allowing them to gain unauthorized access to their devices.
- All requests in the web dashboard could be hijacked using cross-site forgery attacks, with information obtained from their browser history.
- An exploitation was found on the dashboard that would allow hackers to generate arbitrary files and downloads them onto your child’s device. These files are particularly nasty as they bypass antivirus real-time protection via this method.
- And finally, using a simple exploit, the child could easily turn off the parental controls without the parent getting a notification, undermining the whole point of parental controls.
Because of the severity of these security flaws, it’s imperative to install the latest security update. Simply go to the Google Play Store and check for any updates for your apps.