A number of security vulnerabilities in a website and app used by thousands of Norwegian parents has left their kids’ privacy and security in jeopardy. I will show how I found these flaws just by using a web proxy and the devastating effect of combining several of these security mistakes together. The talk will follow the story of how I progressed from checking the security of the application to discover vulnerabilities in authorization, authentication, XSS, CSRF, cookies/tokens and third party components. I will show how simple parameter manipulation and some basic HTML and Javascript is enough to own all users of the system. With everything exposed, what are the direct, real world consequences of poor application security? My goal is to show how anyone can do a security test in an ethical way using a web proxy and how to do a responsible disclosure effectively.