Canopy Parental Control App Wide Open to Unpatched XSS Bugs

The possible cyberattacks include disabling monitoring, location-tracking of children and malicious redirects of parent-console users.

Canopy, a parental control app that offers a range of features meant to protect kids online via content inspection, is vulnerable to a variety of cross-site scripting (XSS) attacks, according to researchers.

The attacks could range from a sneaky kid disabling the monitoring to a much more serious third-party attack delivering malware to parental users.

Canopy offers sexting prevention, on-device photo protection (through image filtering), screen-time monitoring, child communication alerts for parents, smart content filtering for weeding out inappropriate websites, plus, for the parents, remote device management and the ability to control the use of the applications and websites their child uses.

To perform such wonders, Canopy uses an artificial intelligence engine and VPN filtering – plus a healthy number of device permissions.

“The installation process involved authorizing a wide set of permissions including accessibility support, the ability to draw on top of other apps, installing a root CA and configuring a VPN,” explained Craig Young, security researcher at Tripwire, in a report published on Tuesday. “The app can also (optionally) act as a device administrator to prevent app removal…This privileged

Read More: