CVE-2023-36620 in Boomerang Parental Control App
Summary
by MITRE • 11/03/2023
An issue was discovered in the Boomerang Parental Control application before 13.83 for Android. The app is missing the android:allowBackup="false" attribute in the manifest. This allows the user to backup the internal memory of the app to a PC. This gives the user access to the API token that is used to authenticate requests to the API.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/14/2026
The vulnerability identified as CVE-2023-36620 represents a critical security flaw in the Boomerang Parental Control application for Android devices. This issue stems from a misconfiguration in the application's manifest file where the android:allowBackup="false" attribute is absent, creating an unintended backup mechanism that exposes sensitive user data. The vulnerability specifically affects versions prior to 13.83 of the application, indicating that this was a known issue that required a specific patch to address the security gap. The flaw allows for unauthorized access to the application's internal storage through standard Android backup mechanisms, which can be exploited by attackers with physical access to the device or those who have already compromised the user's system.
The technical implementation of this vulnerability occurs at the Android application manifest level where the allowBackup attribute serves as a crucial security control. When this attribute is not explicitly set to false, Android's backup system automatically enables backup functionality for the application, storing application data including shared preferences, databases, and other internal storage components. The Boomerang Parental Control application stores authentication tokens within its internal memory, which are typically stored in shared preferences or internal databases. These tokens contain sufficient information to authenticate API requests to the backend services, effectively allowing attackers to impersonate legitimate users and gain unauthorized access to the parental control account and associated features. The vulnerability maps directly to CWE-664, which addresses improper control of a resource through multiple access points, as the application fails to properly restrict access to its internal storage components.
The operational impact of this vulnerability extends beyond simple data exposure, as the stolen API tokens can be used to perform unauthorized actions within the parental control system. Attackers could potentially access child monitoring data, modify parental controls, disable security features, or even gain access to other accounts associated with the same user credentials. The vulnerability is particularly concerning in the context of parental control applications, as it could allow unauthorized individuals to bypass security measures designed to protect children from inappropriate content or online threats. This creates a significant risk for families who rely on such applications for digital safety and privacy protection. The attack surface is relatively broad as it requires only local access to the device or a compromised system to exploit the backup mechanism, making it an attractive target for attackers who may have already gained initial access through other means.
The security implications of this vulnerability align with ATT&CK technique T1213.001, which covers data from information repositories, as the backup mechanism provides an alternative access path to sensitive data that should remain protected. Organizations and users should implement immediate mitigations including updating to version 13.83 or later of the Boomerang Parental Control application, which presumably includes the fix for this manifest configuration issue. Additionally, users should review their Android backup settings to ensure that sensitive applications are not included in automatic backup processes, and administrators should consider implementing mobile device management policies that restrict backup capabilities for applications handling sensitive data. The vulnerability demonstrates the critical importance of proper Android application security configuration and highlights how seemingly minor manifest attributes can have significant security implications. Security teams should also consider implementing monitoring for unauthorized access patterns and token usage to detect potential exploitation attempts that might occur after an initial breach through this backup mechanism.