TeenSafe child monitoring app leaked thousands of customer data

By JC Torres/May 20, 2018 8:56 pm EST

It seems that our eagerness or carelessness in surrendering our data so easily to companies and services is finally coming back to haunt us. From massive customer database hacking to the recent Facebook scandal, the data we've sowed on company servers are now being reaped by others, often by criminals. This latest incident is both unfortunate and probably also inevitable. TeenSafe, an app that's supposed to keep kids safe by letting their parents monitor them, has now practically achieved the opposite by leaking parents' and children's data to almost anyone who has been able to grab hold of its database.

TeenSafe bills itself as a secure monitoring app for both iOS and Android. It markets its service to parents who want to keep an eye on their kids' smartphone activities, from call logs to apps installed to browsing history. Naturally, it requires users to submit certain data, like their email addresses, sign up with a password, and collect information about devices. That data, according to UK-bases security researcher Robert Wiggins, was left unprotected on the company's Amazon-hosted servers and accessible to anyone without a password.

It actually gets worse from there. The data included not just the parents' email addresses used to sign up for the service, it also included the child's Apple ID email and, often, their names as the device name. To make matters even worse, the passwords for the child's Apple ID was apparently stored in plain, human-readable text.

It would almost be too easy to sympathize with TeenSafe if not for the "features" of its services. For one, it requires two-factor authentication on iPhones to be turned off so any hacker who got the child's Apple ID and password can easily break into the account. It also claims not to require the child's consent in monitoring them, almost akin to spying on them. Child monitoring apps and services like these are already eyed with suspicion and this case doesn't do that market any favors.

And then there's the very simple fact that the company was just careless with the data it held. Storing passwords as plain text and not protecting their database with even a password are two of the most irresponsible mistakes any IT department or server administrator can make. It is ironic and tragic that a company aiming to teach parents tech safety tips has completely failed to do that for itself.

VIA: ZDNet