Pair of unpatched security bugs are ‘just the tip of the iceberg’
Tripwire’s Craig Young said that he discovered the security flaws in Canopy after the application was advertised to him by his child’s school.
Canopy allows parents to control how much screen time their children have on a device, manage the device itself and all communications, and prevent the child from accessing inappropriate content.
The researcher found that a child’s request explanation can contain XSS which executes in dashboard, a parent’s rejection explanation can contain XSS which executes on a kid’s phone, and a URL referenced in a request can contain XSS which is executed in the dashboard.
An attacker with knowledge of these flaws could inject a new script into the dashboard for any or all Canopy parent accounts, Young told The Daily Swig.
This could give them access to a whole host of data belonging to the family, including the child’s location.
“I think a more likely scenario though is that someone would monetize the exploit by selling data dumps, injecting advertisements, or mining Monero,” explained Young.
Young said the issues were all very deliberate findings, and that the first two used “nothing more than a regular