Story image

Data from app that enables parents to monitor teen’s phone activity leaked

22 May 2018

In an ironic twist, tens of thousands of user accounts associated with an app used by parents to monitor their children’s phone activity has been leaked.

TeenSafe is marketed as a ‘secure’ monitoring app for both iOS and Android that enables parents to view their children’s app usage, text messages, location, call details and even web browsing history – all without their permission.

TeenSafe claims to have more than a million parents using its service, but as reported by ZDNet, the company left its servers hosted on Amazon’s cloud unprotected and accessible by anyone without a password. UK-based security researcher Robert Wiggins makes a living out of scouting for public and exposed data managed to find two leaky servers – both of which now have been pulled offline.

The compromised database stores parents’ email addresses, their corresponding child’s Apple ID email address, device name, unique identifier and the plaintext passwords for their Apple ID.

No personal content data was held on the servers like photos, messages, or the locations of either parents or children.

However, to rub salt in the wounds the app forces two-factor authentication to be turned off which effectively opens the door for malicious actors wanting to access the child’s personal content data.

WinMagic EMEA VP Luke Brown says it’s a breach that could have been easily avoided.

“Another day, another bunch of sensitive data left unprotected and accessible on Amazon’s cloud.  TeenSafe’s claims that it is "secure" and uses encryption to scramble its data is clearly wide of the mark,” says Brown.

“It may have been TeenSafe’s intention to invoke encryption – but in this case, something went wrong.  At the end of day, if the data was encrypted it would not have been possible for any unauthorised users to access it."

Bitglass product management VP Mike Schuricht shares these sentiments.

"Identifying specific attack vectors like misconfigured databases is now a simple act for nefarious individuals. Where data is publicly accessible because of accidental upload or misconfiguration to a database, outsiders don't need a password or the ability to crack complex encryption to get at sensitive information,” says Schuricht.

“This misconfiguration could have been avoided with basic security best practices such as limiting access from outside the corporate network, encrypting highly sensitive data, and training employees on security risks. Ultimately, it should be a no-brainer to implement data-centric security tools on any sensitive information that could get out to the public.”

Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.