Researcher finds vulnerability in popular parental control app Canopy
A researcher with cybersecurity firm Tripwire has discovered a vulnerability in parental control app Canopy that allows attackers to plant JavaScript into the parent portal and gain access to all the features a parent would have with their child's device.
Tripwire principal security researcher Craig Young told ZDNet that Canopy had been advertised to him through his child's school, prompting him to look through the app's cybersecurity features.
"I had an interest in learning more about how parental control software is implemented and what, if any, risks it may introduce to families. I discovered these vulnerabilities by intentionally examining how the system processes special characters in parental control requests," Young said.
"My kids' school sent home advertisements for Canopy, and so I thought it would be a good service to learn more about. After signing up for a free trial to see what the service has to offer, I tested what would happen if the parent of a kid had special characters in their request message. It was obvious that Canopy is not filtering the user-input."
From there, he investigated further and realized that the URL in a parental control request was also not being filtered properly. He found that a completely external user can inject this XSS with only a single unknown numeric ID value, allowing an attacker to add JavaScript code to the parent portal for each and every Canopy account.
The JavaScript could then be used to do anything from cryptocurrency mining to browser exploits targeting parents. The JavaScript could also be used to export data about the customer accounts, including location data from monitored devices. The data dump could be sold for a variety of unwelcome purposes, Young added.
An attacker would have full access to the parent portal and all parent features for monitoring and controlling child devices. Young said it looks like an attacker would be able to do this en masse to all customers of Canopy.
Young contacted Canopy but said they have been "minimally responsive," claiming to have a fix in place. But Young said the fix does not address the full issue and only makes it, so a theoretical child can no longer attack their parent with the explanation text. But the child can still attack the parent account using the address of a blocked website as the cross-site scripting vector, and a third party could also do this, Young said.
They have not responded to his latest outreach, letting them know this. Canopy also did not respond to requests for comment from ZDNet.
Canopy offers a multitude of services, including a multi-platform parental control app that allows parents to monitor and limit how their children use a device. Canopy operates as a subscription service -- requiring monthly payments.
Many of the features offered by the service imply the app is given privileged access to the protected device and is intercepting TLS connections to filter content.
Young explained that this privileged access could introduce considerable risk to the security of protected devices and the children's privacy using those devices.
He noted that Canopy implements a VPN connection and uses some form of AI on the device for privacy functions.
Through examining how the app functions, Young discovered that the Canopy system fails to sanitize user inputs, leading to cross-site scripting, allowing attackers to embed an attack payload within an exception request.
"Although there may be a wide range of ways a clever kid could abuse this vulnerability, the most obvious would be to approve a request automatically. The input field did not seem to have any sanitization and allowed 50 characters which were plenty to source an external script," Young explained in his report.
"My first test was a payload to click to approve the incoming request automatically. This worked well, and I quickly got another payload working to pause monitoring protection automatically. At this point, the child using the protected device could inject arbitrary JavaScript into an authenticated parent session. This could be useful for various child-to-parent attacks, including making a self-approving exception request or a request that automatically disables the monitoring software when viewed. This is bad, but it could be worse."
Young noted that this kind of exploitation is "noisy," meaning a parent needs to interact with the malicious request and recognize the attack in progress.
Further examination of the Canopy app showed that the system could be tricked by combining double and single quotes. With that, someone could submit an exception request which takes control of the Canopy app when the parent simply logs in to check on the monitored devices.
"This situation does not bode well for the Canopy parental control system, but at the same time, you may be wondering if this is really a big deal. After all, most kids who are being monitored with this system aren't going to have a clue about XSS or have access to a parent console to develop an exploit payload," Young wrote.
"Unfortunately, the attack surface for this vulnerability is quite a bit more substantial than what was discussed earlier with request explanation text. Because this attack involves a crafted URL being blocked, it becomes possible for attacks to come from completely external third-party sources. Anyone who can get a child using the protected device to click a link can now potentially attack the parent's monitoring this account."
A child only needs to be convinced to click on a request access button once the URL has been loaded. Still, Young said the scariest part is that the Canopy API design will "even allow the external attacker to directly plant a cross-site scripting payload on a parent account by guessing the parent account ID."
According to Young, due to the relatively short length of account IDs, attackers could theoretically seed the attack payload on every single parent account by simply issuing a block exception request for each ID value in the sequence.
"The external attacker may use this to redirect the parent to advertisements, exploits or other malicious content. Alternatively, an attacker could plant a payload to hijack access to the parental control app and pull GPS coordinates from protected devices on the account," Young said.
"From my perspective, this is a pretty fundamental failure for an app advertising it can keep kids safe online."
A number of cybersecurity experts told ZDNet that these types of flaws are present in a large number of services.
Oliver Tavakoli, CTO at Vectra, said the developers of the Canopy service seem to lack an understanding of how to secure a service against malicious actors, adding that by not cleansing input fields or data (such as URLs) received from the internet "is to fail Security 101."
Tavakoli said that this particular flaw is somewhat harder to exploit because it requires coaxing a child to click on a link to deliver a payload to a parent system.
Others said the vulnerability was another example of why "Injection" flaws have been in the OWASP Top 10 for more than a decade.
Ray Kelly, the principal security engineer at NTT Application Security, said developers are still careless when accepting untrusted and unfiltered user input.
"Accepting unfiltered input can lead to a cross-site scripting vulnerability which can create a wide range of issues. This includes stealing a user session cookies, redirecting to a malicious website or embedding a keylogger," Kelly said.
"This also demonstrates why security testing of all inputs in a web application is so important and how it can reach to mobile devices, drastically increasing your attack surface."
When asked how Canopy can fix the issue, Young said Canopy needs to sanitize all user-input values.
"I would also recommend that Canopy establish a security reporting policy and guidelines for how researchers can responsibly probe their systems and share technical feedback," Young added.