Kiddowares ‘Parental Regulate – Young children Place’ app for Android is impacted by various vulnerabilities that could empower attackers to add arbitrary data files on guarded units, steal user qualifications, and enable little ones to bypass limitations devoid of the dad and mom noticing.

The Youngsters Position application is a parental regulate suite with 5 million downloads on Google Engage in, supplying monitoring and geolocation abilities, net accessibility and paying for limits, monitor time administration, dangerous articles blocking, remote unit obtain, and additional.

The vulnerable app on Google Play
The susceptible app on Google Perform (BleepingComputer)

Researchers at SEC Seek advice from have uncovered that the Young ones Area application variations 3.8.49 and more mature are vulnerable to five flaws that could impact the protection and privateness of its people.

The 5 safety issues are the pursuing:

  1. Consumer registration and login actions return the unsalted MD5 hash of the password, which can be intercepted and very easily decrypted. MD5 hashes are no longer regarded cryptographically protected, as they can be brute-pressured applying modern computers.
  2. The customizable name of the kid’s system can be manipulated to set off an XSS payload in the guardian world wide web dashboard. Youngsters or attackers can inject destructive scripts to execute on the parent’s dashboard, obtaining unauthorized entry. The problem has obtained the identifier CVE-2023-29079.
  3. All requests in the web dashboard are vulnerable to cross-site ask for forgery (CSRF) attacks. The assault necessitates awareness of the machine ID, which is obtainable from the browser historical past. The difficulty has obtained the identifier CVE-2023-29078.
  4. An attacker could exploit the app’s dashboard attribute, at first intended for parents to send information up to 10MB to their child’s unit, to add arbitrary data files to an AWS S3 bucket. This process generates a download URL which is then despatched to the kid’s machine. No antivirus scan requires spot on the uploaded information, so these can incorporate malware.
  5. The application user (youngster) can briefly clear away all utilization limitations to bypass parental controls. Exploiting the flaw, tracked as CVE-2023-28153, does not generate a notification to the father or mother, so it goes unnoticed until a manual check is performed on the dashboard.
HTTP POST request to upload a malicious text file on AWS
HTTP Put up ask for to upload a malicious textual content file on Kiddoware’s server (SEC Consult with)

SEC Consult’s report includes evidence-of-strategy requests or phase-by-stage recommendations on exploiting the earlier mentioned problems, producing it quick for risk actors to exploit the vulnerabilities on more mature variations of the apps or for small children to bypass limits.

Thus, it is vital to update to a safe version of the app, which is 3.8.50 or later.

The analysts learned the flaws on November 23, 2022, even though tests Children Location 3.8.45 and claimed it to the vendor, Kiddoware.

The vendor eventually addressed all troubles with version 3.8.50, produced on February 14, 2023.

Application buyers can update to the most current variation by opening the Google Enjoy shop, tapping their account icon, picking ‘Manage applications & machine,’ and tapping on ‘Check for updates.’

Alternatively, lengthy-push the app’s icon and then select Application infoApplication informationUpdate.