Club Penguin – Safe for kids?

My sister alerted me of a new Internet game that is gaining popularity among kids called “Club Penguin.” In a sense, it’s a virtual world much like Second Life, except instead of being whatever you want, you’re constrained to being a penguin.

Within Club Penguin, you can buy items, such as pets, clothing, food, etc, and get jobs to work for money. You can send chat messages to the people who are in your virtual world. You can throw snowballs, dance, etc. You can add a particular penguin to your buddy list and send that penguin emails.

It has won lots of “awards” for being Kids Safe, but I still don’t trust it. Even though there is live moderation and message filtering, it’s the same game where people try to break the controls that are constraining them. Someone is going to find a way to infiltrate the system.

I decided to take a look at the security behind the application itself. I found that Club Penguin was sending messages over port 6112 in plain-text. This was surprising to me as I though there would at least be some encryption involved.

I did some simple packet sniffing on port 6112 to see what I could discover about the messaging protocol being used. At first, it looked a bit cryptic, but later discovered that there were some simple codes being used such as np, rp, sp, and sm which represented “new player,” “remove player,” “move player,” and “send message.” There is a user id tied to each of these actions, and it gives coordinates on the current map.

Anything that is said can be easily read in plain text. For example, I sent out the following message, “anyone hear me?” and the transmission that I was able to sniff was: %xt%m%sm%18%23348762%anyone hear me?%.

What does this mean? Any predator in your neighborhood can just tap in and listen to port 6112 and see who is playing Club Penguin in the neighborhood. He/she can watch everything that goes on, spoof the Club Penguin server, and send un-moderated, un-filtered messages to your child.

Scary!

My advice is to watch what your children are doing online and become informed of potential dangers. There are people who would like to exploit this game. Several visitors have arrived at this post searching for “how to hack club penguins database,”  “club penguin packet sniffers,” “club penguin 6112,” and “clubpenguin mail spoofing.” I’ll let you be the judge.

[Update: I’ve closed comments because of vandalism by people not mature enough to leave respectful comments]

11 comments

  1. Diane says:

    You got it right on Jim! Thanks for looking into this for me. I think you have the perfect answers. I guess for us parents… If you aren’t sure about something… don’t trust it!

    You’re awesome!

  2. Jimmy'z says:

    Alright! This just proves my point. Either Jack is not a kid, or he’s a kid who doesn’t understand Internet safety. If Jack really is a kid, he just gave away his email address to a complete stranger, me. If he’s really an adult, doesn’t that seem a bit creepy?

  3. I think clubpenguin is safe because if someone is rude or asking for your personal information, you can report them (block them) so they dont send anymore messages to you.
    Also, it is up to the person playing whether or not they keep themselves safe, if that person doesnt give out any personal information and just sticks to the rules, then clubpenguin is a safe and fun game to play.
    On clubpenguin some messages don’t get sent, like if someone tried to give out personal information, it wouldn’t send to the other person’s computer. Clubpenguin doesn’t let people send innapropriate messages (emails).
    So i do think clubpenguin is safe, but it is up to the person playing, whether they keep themselves safe.

  4. Jimmy'z says:

    I feel I need to make a clarification on the email address comment.

    If you enter your email address or any other personal information in a web form, that information goes somewhere, be it a database or text file. What is done with your information from there depends on privacy agreements and ethical behavior by site owners.

    My privacy agreement states that your email address is required, but will not be published. Which is an agreement that I honor. No where on this page or anywhere will you see Jack’s email published. However, it is sitting in a database on my server so that if I wanted to contact him directly, I could do so.

    I will never sell email addresses or violate privacy of anyone who participates on this blog. I have no malicious intent. In fact this blog post was meant to help individuals from a potentially dangerous situation.

  5. Jimmy'z says:

    In response to your second comment, you may be right that you can block users and not accept messages from certain users. I admit that I don’t know everything about the internals of the game.

    As long as messages going out and coming in are filtered on the client side (meaning the Club Penguin game that runs in a Flash Player), then you can rest assured that certain messages and private information will be protected.

    If the filtering occurs on the server side, meaning Club Penguin’s servers that route the messages to all of the players, then it would be possible to bypass those filtering controls.

    It seems that most messages would make it to the Club Penguin servers because they claim that they monitor the activity that goes on.

    If you want to let your kids play Club Penguin, chances are they’ll be fine. I just hope no children get hurt.

    Again, nothing is bulletproof.

  6. ??? says:

    Yes that’s true. The main thing is that the child keeps themselves safe by not giving out personal infomation. :)

  7. joe says:

    “Just because kids can play multi-player games online doesn’t mean that they should.”

    Just because people can hack a system to get your personal information doesn’t mean they will.

    “Again, nothing is bulletproof.”

    No, its not. But I’m sure you don’t make your children wear bullet-proof vests to school to keep them safe. Why should you make them do so when they are online, and in no immediate physical danger?

    I believe you are attempting to shield your children a bit more than is entirely appropriate. A simple email adress given to the wrong person will not necessarily result in anything entirely terrible, sure your child may end up with ads about enlarging his (or her non-existant) reproduction organ, but other than that; if your child is smart it wont be a problem.

    Children are smarter than you make them out to be.

    Note: I will warrent I’m prejudiced against over-protective parents because I am not one (that is, a parent); perhaps if I were a little older and had a family of my own, I’d be as worried as you are. I believe I would not be, though probably out of naivity, I like to believe in the best in people.

  8. Jimmy'z says:

    “Just because people can hack a system to get your personal information doesn’t mean they will.”

    True, but an ounce of prevention is worth a pound of cure. I can’t imagine anything more horrible than a child being molested or worse by a child predator.

    I’m sure those who have had the unfortunate experience of having one of their children abducted or molested would have done anything or paid any price to have prevented that situation.

    Sure, kids need to grow up being Internet savvy to survive in today’s Internet-powered world. I love the web and thus it is my profession. However, if parents aren’t aware of the dangers, they cannot educate their children.

    Ultimately, education is best form of protection. Education takes time, patience, and devotion. The ideal situation would be if parents sat down with their children and taught them appropriate use of Internet applications.

    Maybe I should put more trust in good parenting.

  9. Sophie says:

    Club penguin is completelly safe in my opinion, and Joe i agree with you about over over-protective parents.

Comments are closed.