How a Teen Monitoring App Leaked Thousands of User Accounts

By Paul Ausick Updated Jan 11, 11:21PM EST · Published May 21, 11:00AM EDT

Follow 24/7 Wall St. on Google

This post may contain links from our sponsors and affiliates, and Flywheel Publishing may receive compensation for actions taken through them.

How a Teen Monitoring App Leaked Thousands of User Accounts — © Thinkstock

The main selling point of a mobile app TeenSafe is that it offered parents a way to keep track of how their teenage children were using their smartphones. Now, it seems, the app maker has inadvertently leaked account information on tens of thousands of teens and their parents.

The mobile app is available for both Apple Inc. (NASDAQ: AAPL) iOS and Alphabet Inc. (NASDAQ: GOOGL) Android operating systems. TeenSafe gives parents access to text messages, location data and web browsing history, along with call logs, contact lists, bookmarks and messages sent in other apps such as Kik and WhatsApp. Parents do not need to get their children’s permission to use TeenSafe.

A U.K.- based security researcher, Robert Wiggins (@Random_Robbie) found two leaky TeenSafe servers hosted on Amazon’s cloud platform that had been left unprotected and thus accessible to anyone without so much as a password.

If this incident is similar to earlier Amazon Web Services leaks, an administrator for TeenSafe failed properly to set administrative privileges on the data.

[nativounit]

According to ZDNet, the TeenSafe database stores the parents’ email addresses that are associated with TeenSafe and their child’s Apple ID email address, including the child’s device name and the device’s unique identifier. Included in the data are plaintext passwords for the child’s Apple ID. ZDNet notes:

Because the app requires that two-factor authentication [be] turned off, a malicious actor viewing this data only needs to use the credentials to break into the child’s account to access their personal content data.

The leaked data did not include content data such as photos or messages or location information either on the children or their parents. Error messages generated, for example, by a failed parental attempt to look-up a child’s location, were included in the leaked data.

TeenSafe, which claims over a million parents as customers, told ZDNet on Sunday that the company has “taken action to close one of our servers to the public and begun alerting customers that could be potentially impacted.”

The server that was taken offline held more than 10,000 records (some are duplicates) generated over the past three months. The other server was apparently stored test data and it is not known if other servers and additional data were leaked.

[recirclink id=466067]

[wallst_email_signup]

About the Author Paul Ausick →

Paul Ausick has been writing for a673b.bigscoots-temp.com for more than a decade. He has written extensively on investing in the energy, defense, and technology sectors. In a previous life, he wrote technical documentation and managed a marketing communications group in Silicon Valley.

He has a bachelor's degree in English from the University of Chicago and now lives in Montana, where he fishes for trout in the summer and stays inside during the winter.