In an ironic twist, tens of thousands of user accounts associated with an app used by parents to monitor their children’s phone activity has been leaked.
TeenSafe is marketed as a ‘secure’ monitoring app for both iOS and Android that enables parents to view their children’s app usage, text messages, location, call details and even web browsing history – all without their permission.
TeenSafe claims to have more than a million parents using its service, but as reported by ZDNet, the company left its servers hosted on Amazon’s cloud unprotected and accessible by anyone without a password. UK-based security researcher Robert Wiggins makes a living out of scouting for public and exposed data managed to find two leaky servers – both of which now have been pulled offline.
The compromised database stores parents’ email addresses, their corresponding child’s Apple ID email address, device name, unique identifier and the plaintext passwords for their Apple ID.
No personal content data was held on the servers like photos, messages, or the locations of either parents or children.
However, to rub salt in the wounds the app forces two-factor authentication to be turned off which effectively opens the door for malicious actors wanting to access the child’s personal content data.
WinMagic EMEA VP Luke Brown says it’s a breach that could have been easily avoided.
“Another day, another bunch of sensitive data left unprotected and accessible on Amazon’s cloud. TeenSafe’s claims that it is "secure" and uses encryption to scramble its data is clearly wide of the mark,” says Brown.
“It may have been TeenSafe’s intention to invoke encryption – but in this case, something went wrong. At the end of day, if the data was encrypted it would not have been possible for any unauthorised users to access it."
Bitglass product management VP Mike Schuricht shares these sentiments.
"Identifying specific attack vectors like misconfigured databases is now a simple act for nefarious individuals. Where data is publicly accessible because of accidental upload or misconfiguration to a database, outsiders don't need a password or the ability to crack complex encryption to get at sensitive information,” says Schuricht.
“This misconfiguration could have been avoided with basic security best practices such as limiting access from outside the corporate network, encrypting highly sensitive data, and training employees on security risks. Ultimately, it should be a no-brainer to implement data-centric security tools on any sensitive information that could get out to the public.”