Posted on May 26, 2018 at 10:59 AM
TeenSafe, application parents can use to monitor their teenager’s location and text messages on either Android or iOS platforms, exposed user email addresses and unencrypted passwords due to the company’s inadequately secured servers.
The leak was discovered by Robert Wiggins, a researcher living in the UK, who specifically searches for this type of unprotected information online to alert unsuspecting users. The story was initially communicated by ZDNet on their website after they notified TeenSafe of what had been found. TeenSafe, based in Los Angeles, California, reported they had closed one of the servers to the public and had begun reaching out to customers to alert them to the issue while the company does additional research to determine full impact and mitigate future risks.
The number of people puts at risk has not yet been verified. There are over a million parents using the service, but because one of the servers was reported as only containing fake data used for system testing, and some of the over 10,000 names identified as impacted are listed more than once in the data which spans the last three months, it is difficult to come to a solid number at this time. Anyone who has used this application in recent months should be concerned, as the information made available to everyone is enough to access their teen’s account and find information that can be used inappropriately.
The unsecured servers would not have been such an issue if the passwords had been encrypted, which is what the company claims they use to protect users’ personal information. The app is advertised as secure, and while they do not store any content such as messages, locations or pictures, the databases do save both the parents’ and child’s email addresses, the child’s individual mobile identifier, error messages, and the child’s Apple ID in plain text which anyone could use to hack into the teens’ accounts. The reason the passwords were not encrypted has not yet been explained.
This mobile application has been questionable in the eyes of many who claim the parents’ ability to monitor everything their child says, unchecked, and without permission, is a gross invasion of privacy. It has also been noted that in order to use the application, the usual two-factor authorization requirement has to be turned off, which puts users at risk if their information isn’t secured by the company.
ZDNet, in an attempt to begin verifying the data leaked, contacted a number of people on the list of impacted customers to confirm the data at risk was indeed accurate. Only parents were messaged, and many did not respond, but the ones that did respond confirmed the information feared to be at risk on the servers, further validating the concern.
TeenSafe has promised to keep the public informed as their research unfolds and they are able to determine total impact.