Teen Phone Monitoring App Leaks Thousands of Plaintext Passwords

iphone application

A server used by the operator of an app that enables parents to monitor their teenagers’ phone activity has reportedly leaked tens of thousands of credentials of accounts belonging to both parents and their children.

Billed as a ‘secure’ monitoring app for both iOS and Android, Teensafe allows parents to check on their child’s location, monitor their call activity, access their web browsing and view their child’s text messages, as well as find out which apps they have installed. The California-based company hosted its servers on Amazon’s cloud and unwittingly left two of its servers unprotected and open to access by anyone, without the need for a password.

The database contains parents’ email addresses associated with TeenSafe alongside their child’s corresponding Apple ID email address. Notably, the data also includes the child’s device name, usually the child’s actual name, and the device’s unique identifier. Alarmingly, the server also contained plaintext passwords for the child’s Apple ID and, as the app requires two-factor authentication to be turned off – yes, really – anyone viewing the data can simply use the plaintext passwords to access their personal content.

As reported by ZDNet, the vulnerability was first discovered by UK-based security researcher Robert Wiggins, who scourges the web for public and exposed data.

After being alerted to the leaky servers, both of them were puled offline including another server that the publication said contains test data.

“We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted,” said a TeenSafe spokesperson told ZDNet on Sunday. 

According to the report, none of the records contained photos or messages and other content data like locations of either children or parents.

The publication reached out to individuals whose email addresses were seen in the leaked data with several parents confirming their email addresses and passwords.

It remains to be seen why the company – which claims to use encryption to scramble stored data – stored passwords in plaintext.

Image credit: Pexels.