Canopy Parental Control App Wide Open to Unpatched XSS Bugs

2021-10-06 21:27

Canopy, a parental control app that offers a range of features meant to protect kids online via content inspection, is vulnerable to a variety of cross-site scripting attacks, according to researchers.

The attacks could range from a sneaky kid disabling the monitoring to a much more serious third-party attack delivering malware to parental users.

Once a website is thus compromised, any visitor to the site is potentially a victim, either from a drive-by attack in a stored XSS scenario, or if the target can be convinced to click a link in a reflected XSS attack.

"An attacker can embed an attack payload within an exception request. Although there may be a wide range of ways a clever kid could abuse this vulnerability, the most obvious would be to automatically approve a request," he said.

It turns out that the Canopy API design could allow an external attacker to directly inject an XSS payload into a parent-account webpage by guessing the parent account ID. That would open the door to redirections to ads, exploits, malware and more.

Most sinisterly, an attacker could hijack access to the parental control app itself, installed on the kid's phone, and pull GPS coordinates from protected devices on the account.

News URL

https://threatpost.com/canopy-parental-control-app-unpatched-xss-bugs/175384/

#XSS