sb-as logo
Story image

Data from app that enables parents to monitor teen’s phone activity leaked

22 May 2018

In an ironic twist, tens of thousands of user accounts associated with an app used by parents to monitor their children’s phone activity has been leaked.

TeenSafe is marketed as a ‘secure’ monitoring app for both iOS and Android that enables parents to view their children’s app usage, text messages, location, call details and even web browsing history – all without their permission.

TeenSafe claims to have more than a million parents using its service, but as reported by ZDNet, the company left its servers hosted on Amazon’s cloud unprotected and accessible by anyone without a password. UK-based security researcher Robert Wiggins makes a living out of scouting for public and exposed data managed to find two leaky servers – both of which now have been pulled offline.

The compromised database stores parents’ email addresses, their corresponding child’s Apple ID email address, device name, unique identifier and the plaintext passwords for their Apple ID.

No personal content data was held on the servers like photos, messages, or the locations of either parents or children.

However, to rub salt in the wounds the app forces two-factor authentication to be turned off which effectively opens the door for malicious actors wanting to access the child’s personal content data.

WinMagic EMEA VP Luke Brown says it’s a breach that could have been easily avoided.

“Another day, another bunch of sensitive data left unprotected and accessible on Amazon’s cloud.  TeenSafe’s claims that it is "secure" and uses encryption to scramble its data is clearly wide of the mark,” says Brown.

“It may have been TeenSafe’s intention to invoke encryption – but in this case, something went wrong.  At the end of day, if the data was encrypted it would not have been possible for any unauthorised users to access it."

Bitglass product management VP Mike Schuricht shares these sentiments.

"Identifying specific attack vectors like misconfigured databases is now a simple act for nefarious individuals. Where data is publicly accessible because of accidental upload or misconfiguration to a database, outsiders don't need a password or the ability to crack complex encryption to get at sensitive information,” says Schuricht.

“This misconfiguration could have been avoided with basic security best practices such as limiting access from outside the corporate network, encrypting highly sensitive data, and training employees on security risks. Ultimately, it should be a no-brainer to implement data-centric security tools on any sensitive information that could get out to the public.”

Story image
Why zero trust could fail due to lack of understanding​, not technology
Security architects are being forced to re-examine the concept of identity, with many turning to a zero trust security model to provide a better architecture for protecting their sensitive resources.More
Story image
Nokia: Cyber attacks on internet-connected devices on the rise
Cyberattacks on internet-connected devices continue to rise at an alarming rate due to poor security protections.More
Story image
Insider threat report reveals deception in the workforce
Insider threats come from people inside an enterprise, whether they divulge proprietary information with nefarious intentions, or are just careless employees that unwittingly share sensitive data, writes Bitglass product marketing manager Juan Lugo.More
Story image
Cybersecurity market continues meteoric ascent
With the increase in cyberattacks, organisations are continuing to spend more money on security. However, without a focused cybersecurity strategy, they often spend it in the wrong areas.More
Story image
Radware signs on two more clients for DDoS protection
While Radware did not share the names of its two clients, the company did explain more about the partnerships.More
Story image
Video: 10 Minute IT Jams - SonicWall VP discusses the importance of endpoint security
In this video, Dmitriy discusses the exposure points and new risks that come as a result of widespread flexible working arrangements, how organisations should secure their massively distributed networks, and how SonicWall's Boundless Cybersecurity model can solve these issues.More