A service designed to help parents monitor their childrens’ internet activity on iPhone and Andorid devices has leaked thousands of users’ passwords, ZDNet reports. The service, TeenSafe, purports to be a “secure” monitoring app for both iOS and Android designed to allow parents to view their child’s text message conversations, monitor who they’re calling, accessing their location and web browsing history, and more. It appears, however, that for iOS devices the service relies on parents supplying their childrens’ Apple ID passwords, which are stored on the company’s servers, possibly in order to access iCloud data.
However, a U.K. based security researcher, Robert Wiggins, discovered last week that TeenSafe had actually left one or more of its servers unprotected and accessible by anyone without even a password requirement.
ZDNet alerted the company, which took the affected servers offline, with a spokesperson for TeenSafe stating, “We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted.” The servers in question stored databases that contained parent’s e-mail addresses along with their corresponding child’s Apple ID, device name, and plaintext password. Although none of the records contained any personal content data such as photos, messages, or locations, the Apple ID password would be enough to allow someone to access personal from the child’s iCloud account and iCloud backups; TeenSafe notably requires that two-factor authentication be disabled in order to use the service.
ZDNet notes that before the server was taken offline, it contains at least 10,200 customer data records from the past three months, although adds that some were duplicates. ZDNet contacted a sampling of a dozen parents whose email addresses were included in the leaked data and confirmed that the information — including their child’s e-mail address — was at least recently, if not currently, accurate. TeenSafe claims to have over a million parents using the service, and it’s not known if other exposed servers exist that may have contained additional data, nor why sensitive data was stored in plaintext.
