Canopy Parental Control App Vulnerable to Unpatched XSS Bugs
Reading Time: 3 minutes

Canopy parental control App vulnerable to unpatched XSS bugs, thus enabling bad actors to disable monitoring, location-tracking of children, and malicious redirects of parent-console users.

The parental control app is meant to protect kids online via content inspection. According to researchers, it is vulnerable to numerous cross-site scripting (XSS) attacks

The Canopy parental control app features sexting prevention, on-device photoprotection via image filtering, screen time monitoring, child communication alerts for parents, smart content filtering for weeding out inappropriate websites. Additionally, for the parent, the app offers remote device management and the ability to control the use of the applications and websites their child uses.

The parental control app also uses an artificial intelligence engine and VPN filtering, along with a healthy number of device permissions.

According to the Tripwire report published on Tuesday, “The installation process involved authorizing a wide set of permissions including accessibility support, the ability to draw on top of other apps, installing a root CA and configuring a VPN. The app can also (optionally) act as a device administrator to prevent app removal…This privileged access can introduce considerable risk to the security of protected devices and the privacy of the children using those devices.”

Swarmed with XSS Issues

Craig Young discovered in his findings, the Android version of the app consisted of several opportunities to mount XSS attacks. These occur when malicious scripts are injected into otherwise benign and trusted websites.

Bad actors usually enter malicious code into a web response or comment field and hit enter. Later the payload is sent to a web server, these responses are generally validated on the side in order to block the malicious scripts. Though in the case of the Canopy app these checks are missing in several areas. Leading to a compromised website, which means any visitor to the site is potentially a victim. Either from a drive-by attack in a stored XSS scenario, or the victim is lured into clicking a link in a reflected XSS attack.

According to Young, when he tried to load a prohibited site, he was greeted with a block notification page on a test Android device. The notification page has a button allowing the kids to ask his or her parents to access the requested page. He clicked the button on his test device to append with a simple XSS payload script, to create a JavaScript pop-up on the parental website. Visiting the portal the popup was there and he found the XSS worked in the opposite direction.

Young explained, “I decided to deny the request and again insert an XSS payload as explanation text. The protected phone received a notification about the response. When I opened this notification, I was again greeted with my XSS pop-up.”

The reason for this being the system fails to sanitize user inputs and the input field allows 50 characters. He discovered, “which was plenty to source an external script,” and there are multiple ways to exploit the issue.

He said, “An attacker (e.g. the monitored kid) can embed an attack payload within an exception request. Although there may be a wide range of ways a clever kid could abuse this vulnerability, the most obvious would be to automatically approve a request. My first test was a payload to automatically click to approve the incoming request. This worked well, and I quickly got another payload working to automatically pause monitoring protection.”

A number of child-to-parent attacks can be carried out by a kid with some scripting knowledge. For example, a URL value in the block-notification page query (indicating which website is being denied) is displayed on the main page of the parent dashboard.

He further explained, “I did a quick test of adding a script tag into the URL and loaded up the parent console. The JavaScript is executed when loading the main page of the parent dashboard. We now can submit an exception request which takes control of the Canopy app when the parent simply logs in to check on the monitored devices.”

Also, the account IDs are short numeric values which make it easy for an attacker to send the attack payload on every single parent account by simply issuing a block exception request for each ID value in the sequence.

Canopy has been informed about the vulnerability by phone and by email repeatedly, though the researcher has yet to get a response, leading to his disclosure of issues.
According to Young the only possible solution to this issue is, “Canopy needs to implement sanitization of all user-input fields but has failed to do so. After repeated attempts to work with the vendor, we are publishing this report (with some details removed) so that others can learn from it and act accordingly.”

Related Articles:

Apache Warns of Zero-Day Exploit
Google Chrome Browser Has Three Vulnerabilities
Air Gapped Systems Can Be Hacked by Creating Wireless Signals with Ethernet Cable