Facebook's Messenger Kids design flaw lets children message unauthorized users

Written 10 months ago by IanDorfman

Facebook, the massive social network that has come under fire for the past few years from multiple security controversies, has once again shown that it hasn't comprehensively figured out security, even for apps where security is the selling point. This time, it's in the form of a loophole in its Messenger Kids app.

Through group conversations that contain users that a parent or guardian previously authorized their child to talk with, children can converse with and send and receive audiovisual content from users that their guardian did not authorize interaction with.

This presents multiple opportunities for malicious actions by unauthorized users in a group context that could potentially expose children to inappropriate material. As TechCrunch phrases:

"...given the app’s support for group messaging it’s pretty incredible that Facebook engineers failed to robustly enforce an additional layer of checks for friends of friends to avoid unapproved users (who could include adults) from being able to connect and chat with children."

Though Facebook has not publicly commented on the loophole as of this writing, it has sent a notification to the parents and guardians of children that this loophole could have been used by or against:

"Hi [PARENT],
We found a technical error that allowed [CHILD]’s friend [FRIEND] to create a group chat with [CHILD] and one or more of [FRIEND]’s parent-approved friends. We want you to know that we’ve turned off this group chat and are making sure that group chats like this won’t be allowed in the future. If you have questions about Messenger Kids and online safety, please visit our Help Center and Messenger Kids parental controls. We’d also appreciate your feedback."

In a response to The Verge, a Facebook representative said the following:

"We recently notified some parents of Messenger Kids account users about a technical error that we detected affecting a small number of group chats. We turned off the affected chats and provided parents with additional resources on Messenger Kids and online safety.”

Beyond the alert itself, the statement given to The Verge, and closing down groups that used the exploit, no further action or public statements have been made by Facebook in regard to Small Facebook Messenger Kids iconFacebook Messenger Kids as of the time of this writing.

Further coverage:
The Verge
TechCrunch
CNET
Gizmodo