TeenSafe, a service used by parents to monitor the online behaviors and phone activity of their children, allowed tens of thousands of accounts to leak online after failing to properly secure their servers.
According to a report from ZDNet, the so-called “secure” activity monitoring app left at least two of its servers hosted on Amazon’s cloud service completely unprotected so anyone who happened to stumble across them could access the information stored within, no password needed.
The exposed servers, which were first discovered by security researcher Robert Wiggins, contained the email addresses of parents with TeenSafe accounts, as well as the email address associated with the Apple ID of their children. Passwords for the kids’ Apple ID accounts were also available in the database, stored in plaintext with no encryption or hashing. The server also displayed the name of the child’s device and the phone’s unique identifier.
The servers didn’t contain any saved content like photos or messages, but it puts the kids in a pretty tough spot. For the TeenSafe app to work, it requires two-factor authentication be disabled. The servers contained basically all of the login information required for a malicious actor to hijack a kid’s account and mandates that the primary means of protection against such an attack be turned off.
ZDNet reported there were about 10,200 records found in the server, though it noted some were duplicates. The other exposed database stored test data. It’s not clear if any other servers may have been equally as easy to access, and the unprotected servers have since been pulled offline by TeenSafe.
“We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted,” a TeenSafe spokesperson told ZDNet.
TeenSafe, by the way, is an incredibly creepy and invasive service. It doesn’t require teens to give their consent to use the service—it encourages parents to tell their kids about it but basically says it’s not that big of a deal legally—and it hands over an incredible amount of data and control to parents.
According to the company’s website, the app, which works for Android and iOS, provides parents access to full conversations sent via SMS and iMessage—inlcluding deleted messages. It shows logs of sent and received calls as well as all contacts stored on the device. Parents can track real-time device location and look at location history. It even can suck up browsing history and bookmarks from web browsers and messages sent through third-party messaging services like WhatsApp and Kik.
The TeenSafe YouTube page is filled with guides that show parents how to do everything from blocking access to individual apps like Snapchat and Instagram to “taking back dinnertime” by shutting down a kid’s device. (The video for that one comes complete with black and white footage of a family talking at the dinner table like the good old days.)
Maybe some of those features are necessary for parenting in 2018, but a lot of them seem overreaching, especially given today’s teens are generally pretty well-behaved. The CDC’s annual Youth Risk Behavior Surveillance Survey found that kids today are far less likely to smoke, binge drink (or drink at all), and have sex than most generations before it.
With videos title “Who is Your Child REALLY Texting” and “Is Your Teen Being Honest?” it seems like TeenSafe doesn’t have a whole lot of faith in teens. After the revelation that two of the company’s servers sat exposed online with no password and sensitive information stored in plaintext, maybe parents shouldn’t have much faith in TeenSafe.