Story image

Data from app that enables parents to monitor teen’s phone activity leaked

22 May 2018

In an ironic twist, tens of thousands of user accounts associated with an app used by parents to monitor their children’s phone activity has been leaked.

TeenSafe is marketed as a ‘secure’ monitoring app for both iOS and Android that enables parents to view their children’s app usage, text messages, location, call details and even web browsing history – all without their permission.

TeenSafe claims to have more than a million parents using its service, but as reported by ZDNet, the company left its servers hosted on Amazon’s cloud unprotected and accessible by anyone without a password. UK-based security researcher Robert Wiggins makes a living out of scouting for public and exposed data managed to find two leaky servers – both of which now have been pulled offline.

The compromised database stores parents’ email addresses, their corresponding child’s Apple ID email address, device name, unique identifier and the plaintext passwords for their Apple ID.

No personal content data was held on the servers like photos, messages, or the locations of either parents or children.

However, to rub salt in the wounds the app forces two-factor authentication to be turned off which effectively opens the door for malicious actors wanting to access the child’s personal content data.

WinMagic EMEA VP Luke Brown says it’s a breach that could have been easily avoided.

“Another day, another bunch of sensitive data left unprotected and accessible on Amazon’s cloud.  TeenSafe’s claims that it is "secure" and uses encryption to scramble its data is clearly wide of the mark,” says Brown.

“It may have been TeenSafe’s intention to invoke encryption – but in this case, something went wrong.  At the end of day, if the data was encrypted it would not have been possible for any unauthorised users to access it."

Bitglass product management VP Mike Schuricht shares these sentiments.

"Identifying specific attack vectors like misconfigured databases is now a simple act for nefarious individuals. Where data is publicly accessible because of accidental upload or misconfiguration to a database, outsiders don't need a password or the ability to crack complex encryption to get at sensitive information,” says Schuricht.

“This misconfiguration could have been avoided with basic security best practices such as limiting access from outside the corporate network, encrypting highly sensitive data, and training employees on security risks. Ultimately, it should be a no-brainer to implement data-centric security tools on any sensitive information that could get out to the public.”

Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.