Kiddoware Parental Control App Makes 5 Million Users Vulnerable

The ‘Parental Control – Kids Place‘ app developed by Kiddowares for Android has been discovered to have several vulnerabilities that pose significant risks.

These vulnerabilities can potentially be exploited by attackers to perform various malicious activities, including uploading unauthorized files on protected devices, compromising user credentials, and enabling children to bypass imposed restrictions without parental awareness.

The Kids Place app has gained popularity among Android users, with over 5 million downloads from the Google Play Store.

It provides a comprehensive suite of parental control features, such as monitoring and geolocation capabilities, restrictions on internet access and purchases, management of screen time, blocking of harmful content, remote device access, and more.

In recent findings by SEC Consult Group, a series of security vulnerabilities were discovered in a parental control app called Kids Place.

These vulnerabilities allowed malicious actors to exploit the app, gaining access to login credentials, surreptitiously sending files to a child’s device, and even installing malware onto the system.

Alarmingly, these attackers were able to override all device restrictions and circumvent parental settings without detection.

According to the BleepingComputer, the identified security issues in the Kids Place parental control app are as follows:

1. Weak password protection: User passwords are stored as unsalted MD5 hashes, which can be easily decrypted.
2. Cross-Site Scripting (XSS) vulnerability: Manipulating the child’s device name allows for the injection of malicious scripts, granting unauthorized access to the parent’s web dashboard (CVE-2023-29079).
3. Cross-Site Request Forgery (CSRF) vulnerability: All requests in the web dashboard are susceptible to CSRF attacks, requiring knowledge of the device ID obtained from the browser history (CVE-2023-29078).
4. Arbitrary file upload: The app’s file transfer feature can be exploited to upload any file to an AWS S3 bucket without antivirus scanning, potentially introducing malware.
5. Bypassing parental controls: Children can temporarily remove usage restrictions without generating a notification to the parent, making it difficult to detect (CVE-2023-28153).

Dr. Klaus Schenk, Senior Vice President of Security and Threat Research at Verimatrix, emphasized the critical nature of cybersecurity in both the architecture and design of web servers and applications.

The vulnerabilities exposed in the Kiddowares parental control app for Android underline the importance of prioritizing cybersecurity and adhering to secure coding practices during development.