Magic Kinder App
A children's app made by the Kinder chocolate brand has been found to contain no encryption whatsoever Magic Production Group SA / Ferrero Group

Security researchers have discovered that an educational children's app created by the Kinder chocolate brand has a myriad of security issues that make it possible for strangers to spy on children using the app, and even send them messages, images and videos. Researchers from Italian security firm Hacktive Security analysed the Magic Kinder Android app, which is free to download from Google Play and offers a range of educational games and quizzes for children, as well as the ability to draw pictures on the app.

The app also enables users to send messages, images and videos to family members who also have the app installed on their devices using a feature called Family Diary, which can then be curated and shared with other family members by the parent.

However, Hacktive Security found that the app contains no data encryption at all, meaning that if an attacker were to use a http proxy on the local network, the hacker could then read all chat messages sent by the children and even send the child new messages, photos and videos, simply by altering a few parameters in http requests sent between the app and Kinder's servers.

Researcher Massimo Bozza says that he emailed the vendor twice about the issue on 8 and 14 March, and eventually decided to publish a blog post explaining the security vulnerabilities he found in the app at the end of the month, in order to ensure that parents are made aware before any attackers seek to capitalise on the vulnerability.

The encryption of smart devices and products for children has become a key talking point in recent months, after Vtech, the largest manufacturer of electronic toys in the world had its app store hacked in December 2015, exposing the personal data of 6.3 million children across the globe.

And in February, uKnowKids, a US-based website that allows parents to track their children's internet activity, was hacked, exposing the names, photos, email addresses and social media accounts of 1,700 children.

This was followed by revelations from Rapid7 security researchers, who found that hackers could access the Fisher-Price Smart Toy via an insecure API to spy on children, while a crowd-funded smart GPS watch called hereO was found to have the same http request bypass security flaw seen with the Magic Kinder app.

'We are aware of the concerns raised and have conducted a thorough investigation. We have fixed the issue with no consequences for Magic Kinder app users," Ferrero Group told IBTimes UK. "Safety and security are of paramount importance to us and we have a number of robust checks in place and work tirelessly with our partners to ensure these values are upheld and regularly monitored to protect families using the app."