Parental management app with 5 million downloads weak to assaults

Kiddowares ‘Parental Management – Youngsters Place’ app for Android is impacted by a number of vulnerabilities that might allow attackers to add arbitrary information on protected units, steal consumer credentials, and permit youngsters to bypass restrictions with out the mother and father noticing.

The Youngsters Place app is a parental management suite with 5 million downloads on Google Play, providing monitoring and geolocation capabilities, web entry and buying restrictions, display screen time administration, dangerous content material blocking, distant system entry, and extra.

Researchers at SEC Seek the advice of have discovered that the Youngsters Place app variations 3.8.49 and older are weak to 5 flaws that might influence the protection and privateness of its customers.

The 5 safety points are the next:

1. Person registration and login actions return the unsalted MD5 hash of the password, which may be intercepted and simply decrypted. MD5 hashes are not thought of cryptographically safe, as they are often brute-forced utilizing fashionable computer systems.
2. The customizable title of the kid’s system may be manipulated to set off an XSS payload within the guardian internet dashboard. Kids or attackers can inject malicious scripts to execute on the guardian’s dashboard, reaching unauthorized entry. The problem has obtained the identifier CVE-2023-29079.
3. All requests within the internet dashboard are weak to cross-site request forgery (CSRF) assaults. The assault requires data of the system ID, which is obtainable from the browser historical past. The problem has obtained the identifier CVE-2023-29078.
4. An attacker might exploit the app’s dashboard function, initially supposed for fogeys to ship information as much as 10MB to their kid’s system, to add arbitrary information to an AWS S3 bucket. This course of generates a obtain URL which is then despatched to the kid’s system. No antivirus scan takes place on the uploaded information, so these can comprise malware.
5. The app consumer (youngster) can briefly take away all utilization restrictions to bypass parental controls. Exploiting the flaw, tracked as CVE-2023-28153, doesn’t generate a notification to the guardian, so it goes unnoticed until a guide verify is carried out on the dashboard.

SEC Seek the advice of’s report incorporates proof-of-concept requests or step-by-step directions on exploiting the above points, making it simple for risk actors to take advantage of the vulnerabilities on older variations of the apps or for youngsters to bypass restrictions.

Due to this fact, it’s important to replace to a safe model of the app, which is 3.8.50 or later.

The analysts found the issues on November 23, 2022, whereas testing Youngsters Place 3.8.45 and reported it to the seller, Kiddoware.

The seller finally addressed all issues with model 3.8.50, launched on February 14, 2023.

App customers can replace to the newest model by opening the Google Play retailer, tapping their account icon, choosing ‘Handle apps & system,’ and tapping on ‘Examine for updates.’

Alternatively, long-press the app’s icon after which choose App information → App particulars → Replace.