Security watchers have warned of massive privacy problems with the Magic Kinder App for children.
A lack of encryption within the Magic Kinder smartphone app and other security shortcomings open the doors for all sorts of exploits, they claim.
Hacktive Security alleges that a malicious user could “read the chat of the children, send them messages, photographs and videos or change user proﬁle info such as date of birth and gender,” as explained in detail in a blog post here.
The Android app – which has clocked in at more than 500,000 downloads – was developed by a subsidiary of Ferrero International, the firm behind Nutella, Kinder and Ferrero Rocher.
The mobile software aims to offer “strategic, educational games and quizzes to improve children’s skills and development”.
Ferrero has yet to respond to a request for comment.
Joe Bursell, marketing manager at independent security consultancy Pen Test Partners, said that the app Magic Kinder App is riddled with basic security problems.
“These are not subtle, hard-to-find issues,” Bursell told El Reg. “You’d see those IDs in the proxy within minutes of testing and the first thing you would do is manually increment/decrement them.”
“There are no authorisation checks on any of the requests. This means that anyone can: send a message to your kids, read your family diary, and change other data about people, e.g. gender.”
“Also, it doesn’t use encryption,” Bursell added.
Probably laden with spyware to hoover up all sorts family data.