Kiddowares ‘Parental Control – Kids Place’ app for Android is affected by multiple vulnerabilities that could allow attackers to upload arbitrary files to protected devices, steal user credentials and allow children to bypass restrictions without the parents noticing.

The Kids Place app is a parental control suite with 5 million downloads on Google Play, offering monitoring and geolocation capabilities, internet access and purchase restrictions, screen time management, blocking of harmful content, access to remote devices, etc.

The vulnerable app on Google Play (Computer Beep)

Researchers from SEC Consulting found that versions 3.8.49 and earlier of the Kids Place app are vulnerable to five flaws that could impact the security and privacy of its users.

The five security issues are:

  1. User registration and login actions return the unsalted MD5 hash of the password, which can be intercepted and easily decrypted. MD5 hashes are no longer considered cryptographically secure, as they can be brute-forced using modern computers.
  2. The child’s customizable device name can be manipulated to trigger an XSS payload in the parent web dashboard. Children or attackers can inject malicious scripts to be executed on parent dashboard thereby gaining unauthorized access. The issue has been assigned the identifier CVE-2023-29079.
  3. All Web Dashboard requests are vulnerable to Cross-Site Request Forgery (CSRF) attacks. The attack requires knowledge of the device ID, which can be obtained from the browser history. The issue has been assigned the identifier CVE-2023-29078.
  4. An attacker could exploit the dashboard functionality of the app, originally intended for parents to send files up to 10MB to their child’s device, to upload arbitrary files to an AWS S3 bucket. This process generates a download URL which is then sent to the child’s device. Downloaded files are not scanned for virus, so they may contain malware.
  5. The app user (child) can temporarily remove all usage restrictions to bypass parental controls. Exploitation of the flaw, tracked as CVE-2023-28153, does not generate a notification to the parent, so it goes unnoticed unless a manual check is performed on the dashboard.
HTTP POST request to upload a malicious text file to AWS
HTTP POST request to upload malicious text file to Kiddoware server (SEC Consulting)

SEC Consult’s report contains proof-of-concept requests or step-by-step instructions on exploiting the above issues, making it easy for threat actors to exploit vulnerabilities in older versions of applications or children to circumvent restrictions.

Therefore, it is essential to update to a secure version of the app, which is 3.8.50 or later.

Analysts discovered the flaws on November 23, 2022, when testing Kids Place 3.8.45 and reported it to the vendor, Kiddoware.

The vendor finally fixed all the issues with version 3.8.50, released on February 14, 2023.

App users can update to the latest version by opening the Google Play store, tapping their account icon, selecting “Manage Apps & Device” and tapping “Check updates “.

You can also long press the app icon and then select Application InformationApplication DetailsUpdate.

Source link