Photo by <a href="https://unsplash.com/es/@bermixstudio?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Bermix Studio</a> on <a href="https://unsplash.com/photos/N77fOSxx23s?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Unsplash</a>
In the era of digital natives, keeping our children safe online is a top priority for parents worldwide. Kiddoware, a global leader in parental control solutions, has been providing a safety net for over five million families. However, recent discoveries have shown that even the best-intentioned tools can have vulnerabilities that could potentially harm the very individuals they aim to protect.
A Closer Look at the Vulnerabilities
Five significant security issues have been identified in the Kiddoware Kids Place Parental Control Android App, each presenting a distinct risk to user security. Let’s delve into each one.
1) Unsalted MD5 Hash Passwords: In a surprising revelation, it’s found that login and registration requests return the unsalted MD5 hash of the user’s password. This practice is a clear indication that passwords are stored in an insecure format on the server. It’s important to note that MD5 hashing, known for its vulnerabilities, is outdated and should not be used in modern applications.
2) Stored XSS via Device Name (CVE-2023-29079): In an interesting twist, the customizable name of a child’s device can trigger a cross-site scripting (XSS) payload in the parent’s web dashboard. This vulnerability means that children could potentially attack their parents’ accounts.
3) Potential CSRF Attacks (CVE-2023-29078): All requests in the web dashboard are vulnerable to Cross-Site Request Forgery (CSRF) attacks. While an attacker must know the device Id to launch a successful attack, this Id is not considered secret and can be found in some URL requests or even through browser history.
4) Arbitrary File Upload to AWS S3 Bucket: The web dashboard allows parents to send files to their child’s device. However, an attacker can exploit this feature to send arbitrary files, up to ~10MB, to the AWS S3 bucket, and subsequently, to the child’s device. Given that the returned link is publicly available, this vulnerability could be used to spread malware.
5) Disable Child App Restriction without Notice (CVE-2023-28153): Perhaps the most alarming of all, a child can temporarily remove all restrictions without alerting the parents.
The Affected Versions
The vulnerabilities have been confirmed in versions 3.8.45 and 3.8.49 of the Kiddoware Kids Place Parental Control Android App. Both of these versions were available for download through the Google Play store at the time of testing.
Addressing the Issue
In response to these vulnerabilities, Kiddoware has released a patched version of the app, version 3.8.50 or higher, which users are urged to install immediately from the Google Play store. Unfortunately, there are no available workarounds for the vulnerabilities in the older versions.
Via: seclists | Source: SEC Consult
