Researchers uncovered several vulnerabilities in apps found on Leapfrog’s LeapPad Ultimate Tablet. The vulnerabilities could be used to locate kids, interact with them, or phish parents for sensitive information.
After examing the tablet, researchers at cybersecurity company CheckMarx discovered that the app, Pet Chat, can expose the location of the tablet.
The Pet Chat app was designed to help kids safely talk to one another in a chatroom. However, it also creates an ad-hoc WiFi network that broadcasts to wireless devices in its proximity using the SSID ‘Pet Chat.’ This can be used to identify the geographical position through the WiGLE wireless network mapping service.
So, anyone scanning the area for WiFi signals and uploading them to WiGLE can collect details about the hotspot, including the MAC address, and the time of the scan.
Additionally, researchers also found that the popular children’s tablet did not use HTTPS communication, so any data transmitted was not encrypted.
Attackers could easily intercept information traveling from the tablet, ultimately making it susceptible to man-in-the-middle (MitM) attacks.
In one instance, the researchers were able to modify Leapfrog’s LeapSearch portal to create “phishing version” that asked for sensitive information not normally required for online transactions.
Luckily, CheckMarx said Leapfrog quickly resolved these issues and removed Pet Chat from its stores. However, the app may still be present on older devices, so parents are asked to manually uninstall it.