Popular teen monitoring app TeenSafe, that helps parents keep a tab on their kids’ phone activity, search history, location and text messaging habits, has at least one leaky server that led to the breach of “tens of thousands” of user account details, according to ZDNet.
The leak came to light based on the findings of security researcher Robert Wiggins who discovered that TeenSafe left the data of thousands of accounts exposed on two Amazon servers. While the first server held only test data, the second one stored not only the kids’ Apple ID login credentials, but also the email addresses of parents.
What compounds the matter twofold is that the second server also stored the names and the unique identification numbers (IMEI) for each device. Albeit, no in-app content such as messages or photos was stored on either of the servers.
There are question marks being raised over the working of TeenSafe as well. For instance, users have to turn off Apple’s two-factor authentication for using TeenSafe on an iOS device making it easy for intruders to sign in through another device and get unhindered access to a teen’s iCloud data.
Albeit TeenSafe claims the offending server has been shut down and it has “started warning customers that might be affected”. However, the damage seems to have been done. There were reportedly “at least 10,200 records from the past three months containing customers data” stored on the unprotected server.
Privacy advocates have long been questioning the legitimacy of phone monitoring apps like TeenSafe that garner a huge amount of data from users. Since parents pour a lot of trust into child-oriented apps that monitor their kids’ activity, they too become vulnerable when there’s a glaring lapse in security.
As you might have already surmised, the problem is that it took Wiggins’ findings for the the phone-monitoring company to finally lock things down.