TeenSafe, a mobile teen-monitoring app for iOS and Android that lets parents monitor their kids phone and browsing activity, has accidentally exposed the personal data of tens of thousands of accounts in a misconfigured Amazon Web Services S3 bucket.
UK-based security researcher Robert Wiggins discovered TeenSafe had inadvertently left two unprotected servers hosted on Amazon’s cloud without a password that could be accessed by anyone with the right URL, ZDNet reports.
Wiggins told ZDNet that one of the exposed servers contained a trove of personal information including parental email addresses, Apple ID information such as emails and plaintext passwords, the name of the teen’s device and the phone’s unique identifier. The other leaky server seemed to contain test data. The servers did not contain content data such as photos or messages, or the locations of parents or children.
The leaky servers contained at least 10,200 records from the past three months that listed customers’ data - some of which were duplicates. After ZDNet alerted TeenSafe, both the servers were moved offline.
"We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted," a TeenSafe spokesperson told ZDNet.
Billing itself as a “secure” monitoring app for both iOS and Android, the TeenSafe app requires two-factor authentication to be turned off. This could present the perfect opportunity for an attacker to use the exposed credentials to break into their account and steal more valuable data, mount phishing attacks and more.
TeenSafe allows parents to monitor their child’s devices for all text messages, including those deleted, messages sent by third-party services such as WhatsApp and Kik Messenger, current location and history of the phone’s location, call logs, contacts, browsing history and list of applications installed. Although teen monitoring apps are controversial and privacy invasive, TeenSafe allows parents to collect this trove of data without the permission of their children.
It also claims to employ “industry-leading SSL and vormetric data encryption to secure your child’s data. Your child’s data is encrypted —and remains encrypted— until delivered to you, the parent.”
“It is absolutely shocking that a company that promotes security and protecting your most valuable assets, your children, have completely left sensitive data unsecured and available to cybercriminals who will abuse it,” Joseph Carson, chief security scientist at Thycotic, told Threatpost.
“The ironic thing is that they require two-factor authentication to be turned off (yes turned OFF), and that they store passwords in clear text. It’s surprising that companies still do such irresponsible actions against cybersecurity best practices.”