Canopy Parental Control App Wide Open to Unpatched XSS Bugs
The Canopy parently control app that allows parents to protect kids online via content inspection, is vulnerable to multiple serious cross-site scripting attacks that could lead to disabling monitoring, location tracking of children, and malicious redirects of parent console users. The flaws may also allow for an attacker to deliver malware to parental users. Canopy offers sexting prevention, on-device photo protection, screen-time monitoring, child communication alerts, smart content filtering, and more to protect children from harmful content online.
Canopy deploys the use of artificial intelligence and VPN filtering to achieve content-blocking results, as well as device permissions. However, there are several opportunities to attack the tool via XSS attacks that occur when malicious scripts are injected into otherwise trusted sites. Once a website is compromised, any visitor to it is potentially a victim. Security researchers found that Canopy failed to set up proper security verifications on the server-side to prevent these types of attacks.