Security watchers have warned of massive privacy problems with the Magic Kinder App for children.
A lack of encryption within the Magic Kinder smartphone app and other security shortcomings open the doors for all sorts of exploits, they claim.
Hacktive Security alleges that a malicious user could "read the chat of the children, send them messages, photographs and videos or change user proﬁle info such as date of birth and gender," as explained in detail in a blog post here.
The Android app – which has clocked in at more than 500,000 downloads – was developed by a subsidiary of Ferrero International, the firm behind Nutella, Kinder and Ferrero Rocher.
The mobile software aims to offer “strategic, educational games and quizzes to improve children's skills and development”.
Ferrero has yet to respond to a request for comment.
Joe Bursell, marketing manager at independent security consultancy Pen Test Partners, said that the app Magic Kinder App is riddled with basic security problems.
“These are not subtle, hard-to-find issues,” Bursell told El Reg. “You'd see those IDs in the proxy within minutes of testing and the first thing you would do is manually increment/decrement them.”
“There are no authorisation checks on any of the requests. This means that anyone can: send a message to your kids, read your family diary, and change other data about people, e.g. gender.”
“Also, it doesn't use encryption,” Bursell added.
Reg tipster Clive, who brought the issue to our attention, commented: “The app seems to only be available to users in Europe – certainly a violation of several EU directives.”
There’s been heightened concern over the security of technology provided to children over recent months following the high profile VTech hack last November. VTech servers holding customer information were breached. In a statement, VTech admitted that it had failed to secure personal information on 4.8 million parents and 6.37 million children – including 1.2 million users of its KidConnect messaging service. ®
Sponsored: Webcast: Simplify data protection on AWS