TeenSafe, an app that lets parents monitor their children's text messages, social media, and phone location, is found to have leaked data related to thousands of its users that include both parents as well as children. The data, which was reportedly stored on two of the vulnerable servers backed by Amazon Web Services, compresses the email addresses of parents that are associated with the teen monitoring app, alongside the Apple IDs of children and their plaintext passwords. It is also said that at least 10,200 records from the past three months were put at risk.
UK-based security researcher Robert Wiggins reported that two of the TeenSafe servers had exposed the user data, as spotted by ZDNet. While the company pulled the affected servers shortly after it received an alert, ZDNet was able to verify some of the data exposed. It is reported that the servers were unprotected and accessible without requiring a password. Further, as the app asks users to disable the two-factor authentication, attackers can view personal data only using the credentials that surfaced on the servers.
Among other data surfaced, there were the email addresses and passwords of the parents using the TeenSafe app in addition to the email address of children that were used as their Apple ID. It is also reported the device names of children who were being tracked using the app were spotted alongside their device's unique identifier. Likewise, the data also included error messages associated with a failed account action - in some instances highlighting the time when parents weren't able to identify their children's real-time location. All this was notably stored in plaintext instead of under any encryption. However, the company claims on its website that its app is "secure" and uses encryption to protect the data.
ZDNet's Whittaker verified the leak by reaching out the parents whose email addressed were spotted in the leaked data. Moreover, various email addresses of children were found to be associated with their high schools.
"We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted," a TeenSafe spokesperson said in a statement to ZDNet.
Since the vulnerable servers are no longer live for access, attackers won't be able to obtain the data. However, TeenSafe hasn't provided any clarity on how it is set to protect their servers in future.