In a somewhat ironic turn of events, TeenSafe, a service that helps people keep their kids safe by monitoring teenagers’ phone activity, has leaked parents’ and children’s sensitive data online.
With TeenSafe, parents can see who their kids have been calling and when, view browsing histories and text messages, see what apps they have installed, and bring up their locations. To most people, this probably sounds like an invasion of privacy; the company says parents do not even require the consent of their children to use the service.
Despite its claims of security and safety, ZDNet reports that UK-based researcher Robert Wiggins discovered TeenSafe data was left unprotected on two Amazon servers. While one of these contained only test data, the other included kids’ Apple ID email addresses and passwords, along with their parents’ email addresses. The name of the child’s device was also included, as was the phone’s unique identifier. While no photos, messages, or locations were exposed, the information on the server was stored in plaintext with no encryption.
What’s especially concerning about this leak is the way that TeenSafe works. It requires that two-factor authentication be disabled on an iOS device, which means an attacker could use a child’s Apple ID and password to gain access to their accounts.
Around 10,200 records were found on the server, though some of these were duplicates. TeenSafe, which claims to have over 1 million parents using the service, said it has now shut down the server and is warning customers who may be affected.
The invasive nature of child monitoring apps like TeenSpace has given them a questionable reputation. The fact that the app stored plaintext passwords in an unsecured database certainly isn’t going to improve this view.