Full Report
The author of this post has a very young daughter. They wanted to protect their kid from bad content on the internet using the child protective services. First, they needed to make sure it was secure on the iPad. They go through clicking all of the random buttons to break out. There are some screens that go into a a webview within the app. The author noticed that clicking on any links, in particular, Google links, allowed them to open up arbitrary web pages within this view. At first, they thought this was just a single app that had the problem. After trying this technique on a few other pages, they found the same problem. So, they deemed this a security lapse on the iPad itself, especially since links like this on the iPhone don't work. We don't see many kiosk escapes anymore. This was a good reminder of the trick of clicking on links.
Analysis Summary
# Vulnerability: Amazon Kids+ Filter Bypass via Embedded WebViews
## CVE Details
- **CVE ID**: Not Assigned
- **CVSS Score**: N/A (Researcher identified)
- **CWE**: CWE-601 (URL Redirection to Untrusted Site), CWE-1329 (Reliance on Component Default Configuration)
## Affected Systems
- **Products**: Amazon Fire Kids Edition Tablets / Amazon Kids+ Service
- **Versions**: Active as of April 2023
- **Configurations**: Child profiles with "Web Access" disabled or set to "Filtered" mode.
## Vulnerability Description
The vulnerability is a kiosk-style escape flaw where the Amazon Kids+ environment fails to apply global content filtering and monitoring to **embedded WebViews** within third-party applications.
While Amazon’s primary Silk browser enforces parental controls, many "vetted" apps in the Amazon Kids+ store include links to "Privacy Policies" or "Terms of Service." When clicked, these open a restricted web view that is not subject to the same parental filters. By navigating through these legal documents to third-party links (specifically Google or Social Media icons), a user can access a fully functional search engine or external browser interface. This traffic is neither blocked nor logged in the Amazon Parent Dashboard.
## Exploitation
- **Status**: PoC available (detailed in research blog)
- **Complexity**: Low
- **Attack Vector**: Physical (requires interaction with the device)
## Impact
- **Confidentiality**: Low (Access to restricted/unfiltered web content)
- **Integrity**: None
- **Availability**: None
- **Parental Control Bypass**: High (The core promise of the "Closed Garden" environment is broken, allowing access to undesirable content without logging or oversight.)
## Remediation
### Patches
- No specific OS-level patch was confirmed in the article. This is an architectural issue regarding how Android WebViews are handled across the Kids+ ecosystem.
### Workarounds
- **Strict App Review**: Manually inspect each app allowed on the child's profile to ensure "Privacy Policy" or "TOS" links do not lead to external navigation.
- **Offline Mode**: Use the tablet without Wi-Fi; however, the researcher noted that child profiles can often re-enable Wi-Fi if a known network is in range.
- **Whitelist Only**: Use "Hand-selected" content mode rather than "Filtered" mode, though this may not prevent in-app WebView escapes.
## Detection
- **Indicators of Compromise**: No technical logs are generated in the Parent Dashboard for this activity.
- **Detection Methods**: Physical monitoring of the child's device usage is currently the only reliable way to detect this bypass, as the activity occurs outside the monitored browser application.
## References
- Researcher Blog: hxxps[://]www[.]n00py[.]io/2023/04/bypassing-amazon-kids-parental-controls/
- Amazon Kids+ Support: hxxps[://]www[.]amazon[.]com/gp/help/customer/display.html?nodeId=G9ADS787S36LD99Q