Story image

Data from app that enables parents to monitor teen’s phone activity leaked

22 May 18

In an ironic twist, tens of thousands of user accounts associated with an app used by parents to monitor their children’s phone activity has been leaked.

TeenSafe is marketed as a ‘secure’ monitoring app for both iOS and Android that enables parents to view their children’s app usage, text messages, location, call details and even web browsing history – all without their permission.

TeenSafe claims to have more than a million parents using its service, but as reported by ZDNet, the company left its servers hosted on Amazon’s cloud unprotected and accessible by anyone without a password. UK-based security researcher Robert Wiggins makes a living out of scouting for public and exposed data managed to find two leaky servers – both of which now have been pulled offline.

The compromised database stores parents’ email addresses, their corresponding child’s Apple ID email address, device name, unique identifier and the plaintext passwords for their Apple ID.

No personal content data was held on the servers like photos, messages, or the locations of either parents or children.

However, to rub salt in the wounds the app forces two-factor authentication to be turned off which effectively opens the door for malicious actors wanting to access the child’s personal content data.

WinMagic EMEA VP Luke Brown says it’s a breach that could have been easily avoided.

“Another day, another bunch of sensitive data left unprotected and accessible on Amazon’s cloud.  TeenSafe’s claims that it is "secure" and uses encryption to scramble its data is clearly wide of the mark,” says Brown.

“It may have been TeenSafe’s intention to invoke encryption – but in this case, something went wrong.  At the end of day, if the data was encrypted it would not have been possible for any unauthorised users to access it."

Bitglass product management VP Mike Schuricht shares these sentiments.

"Identifying specific attack vectors like misconfigured databases is now a simple act for nefarious individuals. Where data is publicly accessible because of accidental upload or misconfiguration to a database, outsiders don't need a password or the ability to crack complex encryption to get at sensitive information,” says Schuricht.

“This misconfiguration could have been avoided with basic security best practices such as limiting access from outside the corporate network, encrypting highly sensitive data, and training employees on security risks. Ultimately, it should be a no-brainer to implement data-centric security tools on any sensitive information that could get out to the public.”

McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.
Google Cloud, Palo Alto Networks extend partnership
Google Cloud and Palo Alto Networks have extended their partnership to include more security features and customer support for all major public clouds.
Using blockchain to ensure regulatory compliance
“Data privacy regulations such as the GDPR require you to put better safeguards in place to protect customer data, and to prove you’ve done it."
A10 aims to secure Kubernetes container environments
The solution aims to provide teams deploying microservices applications with an automated way to integrate enterprise-grade security with comprehensive application visibility and analytics.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill.