Moreover, we wanted to find out which and how much data is being collected and stored by these apps in general. The goal of this infosec research was to find out whether the apps' users are properly separated from each other in order to prevent unauthorized third parties accessing their data or devices. To block and control access to potentially harmful or non-child-friendly content or restrict usage times, parents often install parental control apps on the children's devices. Nowadays, children have access to smartphones or tablets at an early age or already possess their own devices. We are going to release further technical details through security advisories after those patches are publicly available. The identified security vulnerabilities should be fixed in the near future, according to the vendors. The SEC Consult Vulnerability Lab is already in contact with some of the vendors mentioned below through our responsible disclosure process. Since many of these apps collect a lot of private data of children, and some may even store the data in the cloud beyond the reach of GDPR, the privacy of the surveilled children may be at risk. Additionally, the Android apps’ restrictions imposed by the parents could be easily bypassed by the children by removing the necessary permissions in the settings app or by using the safe mode feature of Android. These vulnerabilities allowed the attacker to bypass the restrictions set by the parents, or even attack the parents themselves. During their analysis, they found out that the parent web dashboards were susceptible to cross-site request forgery (CSRF) and cross-site scripting (XSS) attacks. Fabian Densborn and Bernhard Gründling of the SEC Consult Vulnerability Lab recently discovered several security vulnerabilities in popular parental control apps for the Android platform.
0 kommentar(er)
