If you're a parent, you might be familiar with an app called TeenSafe. This is an app that allows Mom and Dad to actually spy on their children and control their online and mobile behavior. The app has a YouTube channel with several videos that show users how to block their kids from using Snapchat and give directions on how to turn the little ones' phones off during a family dinner. The company says it has over a million parents using the service on both the iOS and Android platform.
When we told you that parents can spy on their kids with this app installed, we weren't kidding. TeenSafe allows parents to read all text messages, including ones that were deleted and those sent through a third party app like WhatsApp. Logs of sent and received calls can be retrieved from a child's handset, along with the list of contacts on the phone. Browsing history and bookmarks can be obtained, and no matter where they go, the young ones can't hide; real-time tracking will pass location data over to the parents. And the grownups can track all of this information without getting consent from the kids.
But today's news is really not about the app's features. It appears that TeenSafe's servers were hosted by Amazon's cloud service and were accessible to anyone without requiring a password. According to Robbie Wiggins, a security researcher in the U.K., two servers belonging to the company were leaking. While one of the servers only dealt with test data, the other one contained the parent's email address associated with an account, the Apple ID email address belonging to the child, the child's device name and its UDID number. It also stored the password to the child's Apple ID in plaintext.
TeenSafe requires that two factor authentication be disabled, which means that using the leaked information, a hacker could access a child's account and collect personal data and content. The company's website says that encryption is used in case of a data breach, although that doesn't seem to have worked in this case.
TeenSafe has started to alert all of the subscribers involved. 10,200 records from the last three months were in that server, although some of the records were duplicates.