A service designed to help parents monitor their children’s smartphones leaked tens of thousands of passwords and user IDs.
First reported by ZDNet on Sunday, the mobile app TeenSafe left the door to one of its servers open to anyone without a password, giving them free entry to personal data, including Apple login credentials. Since the app requires two-factor authentication to be turned off, anyone who gained access to the information could remotely break into a child’s account.
TeenSafe allows parents to monitor the smartphone of their teenage child and gain access to text messages, web browsing history, social media posts, call logs, app usage, location, and a range of other information. Part of the setup process asks parents to access their child’s phone and disable a host of security settings, like only downloading official apps and updating apps automatically.
Controversial teen-monitoring apps have been criticized as invasive spying tools that breach trust between parents and their children. In 2015, the Australian police warned parents against using TeenSafe, which doesn’t require a child’s consent. Research from the University of Florida suggests parental control apps have a negative impact on parent-child relationships and are even ineffective at protecting kids from the dangers of the internet.
Teensafe is now under the spotlight again after Robert Wiggins, a U.K.-based security researcher, found two servers leaking user information, one of which hosted test data. The databases stored parent’s and children’s email addresses as well as the child’s device name (which is usually the child’s name) and its unique identifier. Most alarmingly, sign-in credentials for their Apple accounts were included in the leak. Fortunately, none of the servers contained photos, messages, or location data.
TeenSafe says more than a million parents use the service. Roughly 10,200 records from the past three months were compromised in the leak, though some appear to have been duplicates, according to ZDNet. It is unclear whether other servers are also out in the open.
Teensafe said it pulled its servers offline once ZDNet alerted it of the data vulnerability.
“We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted,” a TeenSafe spokesperson said.
What the spokesperson didn’t mention is why the leaked information was stored in plaintext despite claims on Teensage’s website that say it uses end-to-end encryption. We have reached out to TeenSafe and will update this article if we hear back.