Parental control apps are meant to help keep your child safe on their devices, but that has backfired in a big way with one popular Android parental control app.
SEC Consult Group identified numerous security flaws in a parental control app called Kids Place, allowing malicious actors to access private information such as login credentials, send files to a child's device without parental knowledge, or install malware onto the system. These individuals could even remove all restrictions set on the device and bypass any settings established by the parent.
While these vulnerabilities were discovered months ago, they continue to impact users today. It's urgent that those who have Kids Place downloaded update it to any version of the application listed as 3.8.50 or later. Even though the update addressing these problems was pushed on February 14 of this year, not everyone has updated to the more recent versions.
This parental control application is dangerous
Kids Place is an application that lets users monitor their children's screen time and activity on phones and tablets. Parents can set "agreeable limits," with the owner company, Kiddoware, offering other apps like Safe Browser and a kid's oriented video player.
The same company also features a slew of blog posts which inform parents on how to stay as safe as possible while using technology. While the company specializes in keeping their consumer base's children safer, these vulnerabilities could still be present in an older version of the application.
The issues identified in Kids Place from @kiddoware were part of our blog post on 8 different parental control #apps and the vast number of #vulnerabilities that we’ve found in them 👉 https://t.co/efM30Uqyfa #parenting #infosec #onlinesafety @divercinety @densi_1101 pic.twitter.com/8D9toQx1aqMay 16, 2023
SEC Consult goes in-depth highlighting the methods in which Kids Place could put parents and their children at risk of a cyber attack. First, Kiddoware stores its users passwords in an "insecure format at the server" through something called "MD5 hashing," which SEC claims modern applications should not be using anymore.
The second vulnerability allows children and malicious actors to access their parent's account and take control. The third allows attackers to download files to the child's device simply by accessing a website. The fourth allows hackers to send malware directly to their child's device through the app's web dashboard. And the final insecurity allows the child or attacker to remove all restrictions without parents being informed.
If you're running version 3.8.49 or older of Kids Place, you must update your application as soon as possible. Malicious actors can get a hold of your information and send dangerous files, alongside the potential for your child to perform actions without your knowledge.
