Child monitoring application, TeenSafe offers a service that helps parents track their youngsters’ smartphone activity and location, but in an ironic turn of events has had a security blip itself. Due to user information being housed on dodgy Amazon servers, both parents’ and children’s sensitive data has been leaked.
TeenSafe has come under fire during its lifetime for it allowing parents to grab the browsing histories, text messages, app installations and locations of their children without the consent of the younger party.
UK-based researcher Robert Wiggins has discovered a security flaw in the safety-spouting application, via ZDNet, as TeenSafe has been keeping its sensitive data on two unprotected Amazon servers in plaintext. Luckily, one of the servers only contained test data and no photos, messages or locations of parents or children were exposed.
Unfortunately, however, the second server did grant anyone access to the youngsters’ email addresses, passwords, name of the device and the phone’s unique identifier, while parents simply got away with their email addresses being taken.
The use of TeenSafe alarmingly requires users to ditch two-factor authentication, allowing attackers to use the leaked information to probe individual devices and gain access to their accounts.
Since the leak has come to light, TeenSafe has shut down the servers and sent out a warning to all 1 million users who might have been affected, despite only 10,200 records found on the server. All users are advised to change their passwords as promptly as possible.
KitGuru Says: Forgoing two-factor authentication and the lack of encryption on storing passwords automatically prompts me to warn potential users to stay away from applications like this until practices change. With this coming to light during a time when privacy is the forefront of conversation, it will be interesting to see how developers will adapt.