An app that lets parents monitor their teenagers' activities on their smartphones stored teens' password information in plaintext on improperly protected web servers, available to anyone who might have found the servers.
Credit: Ute Grabowsky/Photothek for Getty Images
That's the takeaway from an investigation ZDNet recently conducted on the app TeenSafe. A tipster, British information-security researcher Robert Wiggins, told reporter Zach Whittaker that TeenSafe had left its Amazon Cloud servers unprotected, accessible to anyone without a password.
If someone would have visited the services, he or she would have found a database of users, their Apple IDs, and their passwords in plaintext. (There's no evidence that anyone actually stole any data.) The accounts held the information of both parents and teenagers, and there were more than 10,000 records on the servers at last count, according to ZDNet. No messages, photos, or other content was accessible.
TeenSafe bills itself as a "secure" app for Android and iOS that lets parents see what their kids are doing on their smartphones. The app gives parents access to their children's browsing history, a copy of the text messages the kids are sending, and a log of who they're calling. According to ZDNet, TeenSafe says it has more than 1 million parents on its service.
For its part, TeenSafe acknowledged the security flaw and told ZDNet that it was beginning to contact the customers whose data may have been readily accessible. The app maker said it has also taken down the two offending servers, which are now inaccessible.
For now, TeenSafe would only tell ZDNet that it was still analyzing the leak and "will provide additional information" as it learns more. ZDNet was, however, able to contact at least some of the affected users via iMessage to tell them of the breach. They also used the emails to identify where some of the students went to high school.
TeenSafe hasn't yet said why it stored content, especially passwords, in plaintext. On its website, it says that all data is encrypted.