Teen monitoring mobile app TeenSafe fails basic security leaving thousands of users details exposed.
More than 10,000 teens have had their Apple and Android IDs, email addresses and plaintext passwords exposed by mobile app TeenSafe‘s unprotected servers. The Los Angeles company that developed the app failed to protect their Amazon Cloud hosted servers with basic security measures such as a password.
The company’s vulnerable database stores the parent’s email associated with TeenSafe, as well as their child’s Apple ID. To use the app, parents must disable the two-factor authentication making it even easier for malicious people to compromise the accounts. At this time, it appears that none of the records contained content data, such as photos or messages, or the locations of either parent or child.
Servers Taken Swiftly Offline
UK-based security researcher, Robert Wiggins discovered the oversight. After ZDNet alerted the company both servers were pulled offline, including another that contains what appears to be test data.
Wiggins told the BBC that the data was viewable because Teensafe had not put in place basic security measures, such as a firewall, to protect data. A spokesperson for the TeenSafe told ZDnet: “We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted.”
The TeenSafe app, which boasts of having over a million parent users, is compatible with iOS and Android and is designed to allow parents to supervise their children’s phone activity. While some apps require the child’s consent TeenSafe does not. Thus, parents can view their child’s text messages, location, who they call and when, access their web browsing history and find out which apps they have installed without their child’s knowledge. The company claims it is empowering parents, enabling them to detect the hidden dangers “lurking” inside their child’s smartphone.