How a Teen Monitoring App Leaked Thousands of User Accounts

Companies and Brands

Published: May 21, 2018 11:00 am

Last Updated: January 11, 2020 11:21 pm

The main selling point of a mobile app TeenSafe is that it offered parents a way to keep track of how their teenage children were using their smartphones. Now, it seems, the app maker has inadvertently leaked account information on tens of thousands of teens and their parents.

The mobile app is available for both Apple Inc. (NASDAQ: AAPL) iOS and Alphabet Inc. (NASDAQ: GOOGL) Android operating systems. TeenSafe gives parents access to text messages, location data and web browsing history, along with call logs, contact lists, bookmarks and messages sent in other apps such as Kik and WhatsApp. Parents do not need to get their children’s permission to use TeenSafe.

A U.K.- based security researcher, Robert Wiggins (@Random_Robbie) found two leaky TeenSafe servers hosted on Amazon’s cloud platform that had been left unprotected and thus accessible to anyone without so much as a password.

If this incident is similar to earlier Amazon Web Services leaks, an administrator for TeenSafe failed properly to set administrative privileges on the data.

According to ZDNet, the TeenSafe database stores the parents’ email addresses that are associated with TeenSafe and their child’s Apple ID email address, including the child’s device name and the device’s unique identifier. Included in the data are plaintext passwords for the child’s Apple ID. ZDNet notes:

Because the app requires that two-factor authentication [be] turned off, a malicious actor viewing this data only needs to use the credentials to break into the child’s account to access their personal content data.

The leaked data did not include content data such as photos or messages or location information either on the children or their parents. Error messages generated, for example, by a failed parental attempt to look-up a child’s location, were included in the leaked data.

TeenSafe, which claims over a million parents as customers, told ZDNet on Sunday that the company has “taken action to close one of our servers to the public and begun alerting customers that could be potentially impacted.”

The server that was taken offline held more than 10,000 records (some are duplicates) generated over the past three months. The other server was apparently stored test data and it is not known if other servers and additional data were leaked.