TeenSafe phone monitoring app leaks teens’ iCloud logins in plaintext

A security researcher has discovered at least two servers hosted by a “secure” monitoring app for iOS and Android, TeenSafe, that were up on Amazon Web Services (AWS) for months without the need for a passcode to get at their data.

The mobile app, TeenSafe, bills itself as being a “secure” monitoring app built by parents, for parents. It lets parents view their kids’ text messages, monitor who they’re calling and when, to track their phones’ current and historical locations, to check their browsing histories, and to see what apps they’ve installed.

The leaky servers were discovered by Robert Wiggins, a UK-based security researcher who searches for public and exposed data. The company took one server down after being contacted by ZDNet. The other server apparently held only non-sensitive data: likely, test data.

Data from more than 10,000 accounts were exposed.

Wiggins said that the unprotected servers were letting anybody see Apple user IDs, parents’ email addresses, unique phone IDs, users’ attempts to “find my iPhone” and passwords stored in plaintext.

Wiggins said that if Android data were being exposed, he didn’t come across it.

The security researcher told the BBC that the data was viewable because TeenSafe lacked basic security measures, such as a firewall, to protect it.

All in spite of TeenSafe’s claims that the app is secure and uses encryption to scramble data:

TeenSafe employs industry-leading SSL and Vormetric data encryption to secure your child’s data. Your child’s data is encrypted – and remains encrypted – until delivered to you, the parent.

Contents of messages, including photos, weren’t included in the leak, and ZDNet’s Zack Whittaker reports that none of the records contained the locations of either parents or children. But that’s not just cold comfort: it’s an ice cube. A hacker could simply use those plaintext passwords to get at a teenager’s content because, as Whittaker noted, the the app requires that two-factor authentication (2FA) be turned off. Thus…

A malicious actor viewing this data only needs to use the credentials to break into the child’s account to access their personal content data.

Safe and effective password storage could have made that close to impossible, even with a stolen password database.

TeenSafe claims that over a million parents use the service.