News

Teen Phone Monitoring App Data Leak Includes Thousands of Apple ID Passwords Stored in Plaintext

ZDNet reports at least one server used by TeenSafe, an app parents use to monitor their teens’ phone activity, has leaked thousands of accounts of both teens and their parents, including the kids’ Apple ID email addresses.

The mobile app, TeenSafe, bills itself as a “secure” monitoring app for iOS and Android, which lets parents view their child’s text messages and location, monitor who they’re calling and when, access their web browsing history, and find out which apps they have installed.

The company left its servers, which are hosted on Amazon’s cloud service, unprotected, and accessible to anyone, with no need for a password. The two servers were found by Robert Wiggins, a UK-based security researcher who searches for public and exposed data.

The company pulled both servers offline after they were alerted by ZDNet. One of the servers appeared to include only test data.

“We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted,” said a TeenSafe spokesperson told ZDNet on Sunday.

The database stores the parent’s email address, the connected child’s Apple email address, the child’s device name, and the device’s unique identifier. Passwords for the children’s Apple ID stored in plaintext were also included in the data set, even though the company claims on their website that customer data is encrypted.

None of the records included photos, messages, or the locations of the parents or children. It did include error messages associated with a failed account action, such as when a parent attempts to look up a child’s location and didn’t complete the action.

The report indicates their were at least 10,200 records for the past three months, but some of those were duplicates. TeenSafe says over 1 million parents currently use their service.

Chris Hauk

Chris is a Senior Editor at Mactrast. He lives somewhere in the deep Southern part of America, and yes, he has to pump in both sunshine and the Internet.