Multiple XSS vulnerabilities in child monitoring app Canopy ‘could risk location leak’
06 October 2021 at 14:25 UTC
Updated: 07 October 2021 at 09:09 UTC
Pair of unpatched security bugs are ‘just the tip of the iceberg’
Tripwire’s Craig Young said that he discovered the security flaws in Canopy after the application was advertised to him by his child’s school.
Canopy allows parents to control how much screen time their children have on a device, manage the device itself and all communications, and prevent the child from accessing inappropriate content.
The researcher found that a child’s request explanation can contain XSS which executes in dashboard, a parent’s rejection explanation can contain XSS which executes on a kid’s phone, and a URL referenced in a request can contain XSS which is executed in the dashboard.
An attacker with knowledge of these flaws could inject a new script into the dashboard for any or all Canopy parent accounts, Young told The Daily Swig.
This could give them access to a whole host of data belonging to the family, including the child’s location.
“I think a more likely scenario though is that someone would monetize the exploit by selling data dumps, injecting advertisements, or mining Monero,” explained Young.
Young said the issues were all very deliberate findings, and that the first two used “nothing more than a regular <script> tag, while the last one only required some extra characters to confuse a naïve filter”.
Young described the disclosure process as “rough”, telling The Daily Swig that he tried to email his findings three times and was eventually told that all issues were fixed – however, he said, this is not the case.
Canopy has so far only patched the child-to-parent XSS, Young added.
“On September 21, I confirmed that the child to parent XSS has been fixed but that the other two issues persist, and provided another set of details for reproducing the issue. They have been unresponsive since and I do not have an account now to see if anything has changed,” Young said.
The researcher eventually took his findings public and has advised users not to use the products, claiming he believes this disclosure to be “just the tip of the iceberg”.
“I performed a very narrowly scoped security audit looking specifically for XSS and nothing else.
“The fact that I was successful at finding XSS literally everywhere I looked, leads me to believe that it may just be the tip of the iceberg.”
The Daily Swig has reached out to Canopy and will update this article if and when more information comes to hand.