This top parental control app has a serious security flaw

(Image credit: Shutterstock)

A flaw in the popular parental control app, Canopy, makes it vulnerable to cross-site scripting (XSS) attacks, report cybersecurity researchers.

The Canopy parental control app has an exhaustive list of features that allow parents to limit and monitor use of protected devices. 

It was advertised to Tripwire’s Craig Young by his child’s school, who then discovered that the app fails to sanitize user-inputs. The flaw can be exploited by planting a malicious JavaScript into the parent portal. 

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

“When the parent logs in, the attacker would have access to the parent portal and all features a parent has for monitoring and controlling child devices. It looks like an attacker would be able to do this en masse to all customers of Canopy,” notes Young in his breakdown of the app’s flaws.

Abusing privileged access

Being a security researcher, Young was intrigued by the app’s list of features, many of which suggested that the app will have privileged access to the protected device. This privileged access has the potential of introducing risk to the protected devices and the privacy of the children using those devices, argues Young.

While exploring the app he discovered that the block page  enabled the child to request access to the blocked resource page, as well as a text box to send a message. Much to Young’s surprise though, the input field wasn’t sanitized and allowed up to 50 characters, which he notes is enough to call in a malicious external script.

While his first tests were innocent examples of how a child could exploit the vulnerability to access blocked resources, and even pause monitoring protection altogether.  

However, the threats arising out of the vulnerability were a lot more serious, and Young has consciously avoided sharing details in his post since Canopy has failed to fix all the attack scenarios.

“I reached out to Canopy by phone and by email repeatedly. Ultimately, they produced a fix for the XSS from child to parent but failed to do anything to protect against the parent to child XSS or XSS through the URL of a blocked page request before becoming unresponsive. Canopy needs to implement sanitization of all user-input fields but has failed to do so,” claims Young.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.