Magic Kinder app developer: Surprise! No security holes

Developers have responded to warnings about massive privacy problems with the Magic Kinder App for children by casting off insecure code, dropping poorly implemented functionality in the process.

A lack of encryption within the Magic Kinder smartphone app and other security shortcomings created a severe security risk, as previously reported. Hacktive Security warned that a hacker could "read the chat of the children, send them messages, photographs and videos or change user profile info such as date of birth and gender.” Independent security consultancy Pen Test Partners confirmed that the app was riddled with security holes.

The Android app – which has clocked in at more than 500,000 downloads – was developed by a subsidiary of Ferrero International, the firm behind Nutella, Kinder and Ferrero Rocher. The app is pitched as offering “strategic, educational games and quizzes to improve children's skills and development”.

PR representatives of its developers got in touch after our initial story was published to acknowledge security issues with the app but to say these had now been resolved.

We are aware of the concerns raised and have conducted a thorough investigation. We have fixed the issue with no consequences for Magic Kinder app users. Safety and security are of paramount importance to us and we have a number of robust checks in place and work tirelessly with our partners to ensure these values are upheld and regularly monitored to protect families using the app.

Napoli-based consultancy Hacktive Security confirmed that main security problems with the app had been resolved.

Hacktive’s Francesco Mormile told El Reg: “The vendor released a refactored version of the app where the family diary feature (which was affected by the vulnerability) has been completely removed, so currently the application has to be considered ‘safe’.”

Concern over the security of technology provided to kids has risen over recent months following the high profile VTech hack last November. VTech servers holding customer information were breached. In a statement, VTech admitted that it had failed to secure personal information on 4.8 million parents and 6.37 million children – including 1.2 million users of its KidConnect messaging service. ®