PROTECTING SERVERS can be an afterthought for some, and this appears to be the case with TeenSafe which lefts its servers open to anyone.
The company, which offers a Black Mirror-esque app for parents to monitor their teenagers’ phone activity, stored the data on servers hosted on Amazon’s cloud.
UK-based security researcher Robert Wiggins found that TeenSafe had two cloud-hosted servers that lacked appropriate protection and could be accessed without a password, ZDNet reported.
Monitoring the communications of teens may seem a bit of a privacy palaver, but it’s allowed; unsecured data though it a nasty problem.
ZDnet alerted TeenSafe to the unsecured servers, and the company quickly yanked then offline; one of the servers appeared to have held user data while the other looked to be a host for test data.
“We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted,” said a TeenSafe spokesperson told ZDNet, but didn’t seem to explain why the servers were lacking the right level of protection in the first place.
The data that was exposed contained the parent’s email addresses they use with TeenSafe and their teen’s Apple ID email address, and the iPhone’s name and the gadgets unique identification.
Nastier still is that the data contained plaintext version of the teen’s Apple ID password, which given TeenSafe’s requirement that two-factor authentication is switched off, could enable malicious actors with access to the information to break into the teen’s Apple account and access their personal data.
ZDnet noted there was no explanation for why the passwords were stored in plaintext in the first place, especially as TeenSafe claims to use encryption to scramble data in the case of a server breach.
Luckily the unsecured servers didn’t hold any information on the locations of TeenSafe’s users or their children, or personal messages or photos. But that doesn’t forgive exposing the other data either.
Aside from some testing and research carried out by ZDnet to verify the Apple IDs and passwords, it doesn’t look like the exposed data has been exploited out in the wild.
But the whole shebang does indicate that it’s worth proceeding with caution when using services that can collect sensitive data but may be a bit haphazard in sorting it; maybe avoiding dodgy privacy-sapping services would be a good start.