Pair of unpatched security bugs are ‘just the tip of the iceberg’

Multiple XSS vulnerabilities in child monitoring app Canopy could risk location leak

A security researcher has reported multiple cross-site scripting (XSS) vulnerabilities in a child monitoring app that could leak data including a minor’s location.

Tripwire’s Craig Young said that he discovered the security flaws in Canopy after the application was advertised to him by his child’s school.

Canopy allows parents to control how much screen time their children have on a device, manage the device itself and all communications, and prevent the child from accessing inappropriate content.

Risky behavior

In a blog post, Young detailed how he discovered not one but three persistent XSS vulnerabilities – two of which remain unpatched – that could allow a malicious actor to access and control the app.

The researcher found that a child’s request explanation can contain XSS which executes in dashboard, a parent’s rejection explanation can contain XSS which executes on a kid’s phone, and a URL referenced in a request can contain XSS which is executed in the dashboard.

An attacker with knowledge of these flaws could inject a new script into the dashboard for any or all Canopy parent accounts, Young told The Daily Swig.

This could give them access to a whole host of data belonging to the family, including the child’s location.

“I think a more likely scenario though is that someone would monetize the exploit by selling data dumps, injecting advertisements, or mining Monero,” explained Young.

Young said the issues were all very deliberate findings, and that the first two used “nothing more than a regular <script> tag, while the last one only required some extra characters to confuse a naïve filter”.

Rough disclosure

Young described the disclosure process as “rough”, telling The Daily Swig that he tried to email his findings three times and was eventually told that all issues were fixed – however, he said, this is not the case.

Canopy has so far only patched the child-to-parent XSS, Young added.

“On September 21, I confirmed that the child to parent XSS has been fixed but that the other two issues persist, and provided another set of details for reproducing the issue. They have been unresponsive since and I do not have an account now to see if anything has changed,” Young said.

The researcher eventually took his findings public and has advised users not to use the products, claiming he believes this disclosure to be “just the tip of the iceberg”.

Read more of the latest news about security vulnerabilities

Young said: “JavaScript blocking extensions can be helpful at thwarting XSS payloads but the best protection for a Canopy customer is to stop being a Canopy customer.

“I performed a very narrowly scoped security audit looking specifically for XSS and nothing else.

“The fact that I was successful at finding XSS literally everywhere I looked, leads me to believe that it may just be the tip of the iceberg.”

The Daily Swig has reached out to Canopy and will update this article if and when more information comes to hand.

YOU MAY ALSO LIKE OnionShare: Secure communications platform used by whistleblowers and journalists patches data exposure bug