A lack of encryption in the Magic Kinder App for children has led to severe security and privacy issues.
Pen Test Partners confirmed that the app has security holes. Hacktive Security warns that a hacker has the ability to read children's chats, send them messages, photos and videos, or change user profile information such as gender and date of birth.
The Android app developed by the firm behind Ferrero Rocher, Nutella and Kinder was created with the intent to protect children by building a secure environment. Once installed, a private community with family and friends can be created to share photos and drawings of children, share emoticons, and exchange messages.
Researcher Maximum Draft discovered the vulnerability that intercepts traffic, which makes the app and the backend and analysing API calls made and the absence of restrictions on the sharing mechanism data. The communications were also transmitted clearly, with no encryption.
Hacktive's Francesco Mormile states the main security problems have been resolved: “The vendor released a refactored version of the app where the family diary feature (which was affected by the vulnerability) has been completely removed, so currently the application has to be considered ‘safe'.”