A security researcher discovered two leaky servers of a California-based company, TeenSafe, which left the email addresses and passwords of parents and teens unprotected. According to ZDNet at least one of the servers used by the TeenSafe app leaked data from tens of thousands of accounts.
TeenSafe is an app, available for both iOS and Android, for parents who wish to monitor the texts, calls, locations and even the social media exchanges of their teens. The parents enter their email addresses and those of their teenagers. The database stores not only the email and password information but also the child’s device name and the device’s unique identifier, as reported by ZDNet.
“Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child's account to access their personal content data,” ZDNet wrote.
UK-based security researcher Robert Wiggins found the issue with one server containing production data – live customer information – while the second server stored test data. In a tweet to Infosecurity Magazine, Wiggins said, “It appeared to be intercepting the phone’s requests to iCloud for FindMyPhone and other bits related to iCloud.”
Wiggins said the problem was with the type of service running: its default was set for no password and no SSL. “They should’ve firewalled it off to IP’s only,” Wiggins said.
The TeenSafe website claims that it uses “industry-leading SSL and vormetric data encryption to secure your child’s data,” ensuring parents, that their “child’s data is encrypted – and remains encrypted – until delivered to you, the parent.” However, the leaked data discovered by Wiggins was in plaintext.
"It is sad to see a company charged with storing our kids' Apple ID passwords get this wrong, especially after Amazon introduced several new features to avoid this back in November. Both parents and data custodians should not assume that data is being properly stored. Just saying your website uses SSL is no longer enough," said James Lerud, head of the Verodin behavioral research team.
Companies charged with storing sensitive data should actively disclose what steps they are taking to perform continuous validation, added Lerud. "Parents/customers should start expecting assurances before trusting a company with their data."