While many children understandably view it as a nuisance, smartphones give parents the ability to track their location when they leave the house. Kids may see it as a violation of privacy, but it can put a parent’s mind at ease, especially if there is an emergency and they need to find their kid right away. But when it comes to location tracking, parents and children need to trust the tools they’re using, and one popular app might have eroded that trust for good.
Over the weekend, ZDNet reported that UK-based security researcher Robert Wiggins had discovered that mobile app TeenSafe — which allows parents to check their kids’ location, call logs, texts, and more — left two of its servers hosted on Amazon’s cloud unprotected, exposing tens of thousands of user accounts.
“We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted,” a TeenSafe spokesperson told ZDNet after the publication altered them to the leak.
As ZDNet explains, the database in questions contains parents’ email addresses, as well as the corresponding Apple ID email addresses of their kids, the name of their device, and the device’s unique identifier. Plaintext passwords for the children’s Apple accounts are stored on the server as well, and the app requires two-factor authentication to be disabled. The good news is that the actual content on the phone (photos, texts, location data) was not accessible via the server, but all that a bad actor would need to do to find the content would be to log into the Apple account.
TeenSafe claims that over one million parents use its app, and it’s unclear how many of them may be affected by this leak. ZDNet says that 10,200 records appeared on the server from the past three months, but some of those might be duplicates. Either way, if you’ve ever used the app, change your passwords ASAP.