Mobile App TeenSafe Leaks Parent And Child Data

Mobile app TeenSafe leaked tens of thousands of accounts of both parents and children.

TeenSafe allows parents to view their child’s text messages and location, monitor who they’re calling and when, look at their web browsing history and find out which apps have been installed. The company says more than a million parents are using the app at a price of $14.95 per month.

“Your www.TeenSafe.com login works without requiring your child’s iPhone to be ‘jailbroken’ nor Android phones to be ‘Rooted,’” according to the company website. “TeenSafe does not alter an iPhone in any way and does not violate the phone’s warranty. TeenSafe offers parents a single and secure method by which they can access and monitor their teen’s digital lives.”

TeenSafe assures parents that the app “employs industry-leading SSL and vormetric data encryption to secure your child’s data. Your child’s data is encrypted — and remains encrypted — until delivered to you, the parent.”

According to ZDNet, however, TeenSafe left two of its servers, hosted on Amazon’s cloud, unprotected and accessible by anyone. Both of the servers were pulled offline after ZDNet alerted the company.

“We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted,” said a TeenSafe spokesperson.

The database stores the parent’s email address associated with TeenSafe, as well as their child’s Apple ID email address. It also includes the child’s device name and their device’s unique identifier, as well as the plain text passwords for the child’s Apple ID.

Since the app requires that two-factor authentication is turned off, a cybercriminal only needs to use the credentials to break into the child’s account and obtain their personal content data, such as photos, messages and locations.

None of the records contained content data, and one of the servers appeared to store test data. It’s unknown if there are other exposed servers with additional data.

Before the servers went offline, there were at least 10,200 records from the past three months containing customers’ data, although some are duplicates.