Thousands of kids’ Apple IDs stored in plaintext on unprotected server

TeenSafe, a surveillance app that “more than one million” parents allegedly use to spy on what their kids are doing on their phones, failed to use a password to protect its servers, which resulted in over 10,000 records from the last three months being compromised.

The mobile app claims to let parent monitor all sent, received, and deleted Android text messages and Apple iMessages, call logs, web browsing history, contacts, messages sent via Whatsapp and Kik Messenger, as well as device location and location history. Teensafe also claims to be a “secure” monitoring app, but that is not what security researcher Robert Wiggins, aka @Random_Robbie, found to be true.

While scanning Amazon Web Services (AWS), Wiggins discovered two TeenSafe servers that were not protected with even so much as a password, meaning anyone could have accessed them. Although one server seems to have hosted only test data, the other unprotected server was cock-full of sensitive information.

At least 10,200 records from the last three months had been exposed, although some were reportedly duplicates.

ZDNet reported:

The database stores the parent’s email address associated with TeenSafe, as well as their corresponding child’s Apple ID email address. It also includes the child’s device name — which is often just their name— and their device’s unique identifier. The data contains the plaintext passwords for the child’s Apple ID. Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child’s account to access their personal content data.

TeenSafe closes server, alerts customers

TeenSafe yanked the server after being told the data was exposed.

“We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted,” TeenSafe told ZDNet.

Wiggins said TeenSafe wasn’t even using “basic security measures, such as a firewall, to protect data.” The data was “unprotected and accessible by anyone without a password.” He told the BBC that his scan found other companies’ servers that contained the same mistakes of failing to protect data.

While the exposed TeenSafe server with customer data did not include any saved photos or messages, it puts kids in a tight spot — the same kids who parents seem to think are not trustworthy when left to their own devices. Put another way by Cory Doctorow:

If you’re the kind of parent who wants to spy on everything your kids do, you can force them to install an app like Teensafe, which only works if your kid doesn’t use two-factor authentication; you have to give it your kid’s device ID and password, so if that data leaks, it would allow anyone to break into your kid’s cloud and plunder all their private data.

Not all kids are allegedly aware that their parents are using TeenSafe to monitor them. ZDNet noted that TeenSafe says, “It doesn’t require parents to obtain the consent of their children.” If that applies to you, TeenSafe-using parents, then you probably need to fess up while explaining why your kids need to change their Apple ID passwords. Then you and your teen can talk about potential phishing scams, since your email addresses were also exposed.