Teen Phone Monitoring App Exposes Thousands of Passwords

Here’s some news relating to smartphone security!

Reports say that a very popular teen phone monitoring app has exposed thousands of passwords; the app, which is designed for parents who want to keep an eye on their teenager kids’ smartphone use, was storing plain text passwords on an unsecured AWS server.

TeenSafe, which helps parents keep a check on their teenaged kids’ smartphone use by tracking location, calls, messages, web browsing history etc, had left over 10,000 plain text user records sitting on an unsecured Amazon cloud server.

An exclusive report on this smartphone security-related issue by ZDNet says that TeenSafe, the Los Angeles, Calif.-based company “…left its servers, hosted on Amazon’s cloud, unprotected and accessible by anyone without a password.” The report says that Robert Wiggins, a UK-based security researcher, has found two leaky servers that exposed over 10,000 user records.

The ZDNet report further says- “Robert Wiggins, a UK-based security researcher who searches for public and exposed data, found two leaky servers…Both of the servers was pulled offline after ZDNet alerted the company, including another that contains what appears to be only test data.”

The database in question stores parents’ email addresses associated with TeenSafe, along with the children’s Apple ID email addresses, plus the children’s device names and unique identifiers of all devices. The data would also contain the plaintext passwords for the children’s Apple ID. To be noted is the fact TeenSafe requires the two-factor authentication to be turned off. A hacker would just need to use the credentials available to get into any child’s account and gain control over the personal data. Also part of the data would be error messages associated with failed account actions. However, the data didn’t include content data, like messages, photographs or parents’/children’s location.

ZDNet says- “Shortly before the server went offline, there were at least 10,200 records from the past three months containing customers data — but some are duplicates…One of the servers appeared to store test data, but it’s not known if there are other exposed servers with additional data.” It’s to be remembered that TeenSafe reportedly has over a million parents subscribing to its service.

However, there is no way to ascertain if any damage was done, and if done, to what extent. ZDNet, as part of doing the exclusive report, had verified the legitimacy of the data. The report says- “We began verifying some of the data by reaching out to those whose email addresses were named in the leaking data…We contacted a dozen people over iMessage, one by one, to confirm their passwords.”

The report further says- “Not everyone responded. But several people — parents of children who use the app — confirmed their email addresses and passwords, or that it had been recently changed within the past month or so…The parents also confirmed their child’s email address, used as their Apple ID.” They, however, didn’t try to contact the children for fear of causing alarm.

The fact that the data, especially the passwords for the Apple IDs of the children, were stored in plaintext is something that confuses experts, though TeenSafe claims that the data is secure.

The ZDNet report says- “The company claims on its website that it’s “secure” and uses encryption to scramble the data, such as in the event of a data breach“, and adds, “TeenSafe said it was continuing to assess the situation and “will provide additional information” as it becomes available.”

With so many data breaches happening around you, it’s only natural for you to start wondering if all the data that you share with businesses and companies are safe. Well, there are many companies who take extra care as regards protecting the data at their disposal. Still, data breaches continue to happen.

Companies and organizations that deal with sensitive personal data of customers have a lot of lessons to learn from such data breaches!