This top parental control app has some serious security flaws

Your iPhone could soon get a powerful new feature that Android's had for years
The Microsoft Bing app and search bar widget on the home screen of a Samsung Galaxy smartphone (Image credit: Future | Alex Walker-Todd)

A popular Android parental control app carried multiple vulnerabilities which allowed the children to bypass parental controls, and threat actors to install malware or steal sensitive data from the flawed devices.

The app in question is called Parental Control - Kids Place, built by a company called Kiddowares. It has more than five million downloads on Google Play, and offers all kinds of parental control features, from monitoring and geolocation, to internet restrictions and payment restrictions. Parents can also track how their children spend time on the device, and make sure they’re safe from any malicious content.

The findings were outlined in a report from cybersecurity researchers SEC Consult, which is now urging users to update the apps to the latest version immediately.

Deploying malware

Now, SEC Consult’s researchers found versions 3.8.49 and older vulnerable to five flaws. 

The first allows threat actors to intercept and decrypt user registration and login data, meaning they could be able to obtain sensitive information such as login credentials. 

The second, tracked as CVE-2023-29079, allows for cross-site scripting attacks, which threat actors can use to inject malicious scripts into the dashboard of the parents. The third one, tracked as CVE-2023-29078, is a cross-site request forgery (CSRF) flaw, while the fourth one allows the attackers to send files up to 10MB in size to the child’s device.  

This one is particularly dangerous as the files are uploaded to an AWS S3 bucket, where they’re not scanned and could contain malware. The fifth one, tracked as CVE_2023-28153, allows the children (or threat actors) to temporarily remove all usage restrictions. Unless they manually check in the dashboard, the parents won’t know this change occurred. 

The researchers said that all versions prior to 3.8.50 are vulnerable, and have urged the users to update, immediately. The patch was released on February 14, 2023. 

Via: BleepingComputer

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
An Android phone being held in the hand
These malicious Android apps were installed over 60 million times - here's how to stay safe
Kaspersky Report on Stalkerware
Security flaw in popular stalkerware apps is exposing phone data of millions
Stalkerware
New spyware found to be snooping on thousands of Android and iOS users
Parents with child, learning from a laptop at home.
Best free parental control app of 2025
Two children outdoors using laptops.
Best parental control app of 2025: tested, ranked and reviewed by the experts
 In this photo illustration a Google Play logo seen displayed on a smartphone.
Why is there so much spyware hidden in the Play Store?
Latest in Security
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
Latest in News
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 23 (game #1154)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 23 (game #385)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 23 (game #651)
Google Pixel 9 Pro Fold main display opened
Apple is rumored to be prioritizing battery life on the foldable iPhone – which could also feature a liquid metal hinge for added durability
Google Pixel 9
The Google Pixel 10 just showed up in Android code – and may come with a useful speed boost
L-mount alliance
Sirui joins L-Mount Alliance to deliver its superb budget lenses for Leica, DJI, Sigma and Panasonic cameras