Teen monitoring app exposes plaintext Apple ID passwords of its users

A popular teen monitoring app has become a victim of a data breach in which plaintext Apple ID passwords are believed to have been compromised.

Dubbed as TeenSafe, the app is very popular among parents with over a million subscribers. It is popular because parents can track the whereabouts of their teens. It is advertised as a safe teen monitoring app designed for iOS devices.

By using this app, parents can check on their kids by monitoring their location, web history, call history and text messages. Basically, they can learn what their teens are doing with their phones.

The reason behind the data breach, as reported by ZDNet, was the use of unprotected Amazon Web Services (AWS). The servers of the app were hosted on AWS platform and since it was unprotected, anyone was capable of accessing the information, that too, without entering a password.

The unprotected servers were discovered by security researcher Robert Wiggins. When he notified TeenSafe, the company did take the servers offline but it was indeed a huge security lapse on their part.

Apparently, over 10,000 records from the past three months were exposed due to the breach. The servers stored a list of email addresses of the subscriber parents and the Apple ID email address of their children. Moreover, the servers stored the unique device identifier numbers of the registered devices apart from child’s Apple ID passwords in plaintext format.

TeenSafe is now notifying the customers who might have been affected by the data breach, stated a spokesperson for the company.

“We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted,” the spokesperson told ZDNet on Sunday.

Parents can monitor all sorts of data on this app from sent/received text messages from both Apple iMessage and Android platforms to checking messages on WhatsApp and Kik Messenger.

What’s even more alarming is the fact that TeenSafe requires parents to disable two-factor authentication on their Child’s Apple ID in order to keep monitoring their child’s activities without needing direct permission. But one relieving aspect is that the records didn’t include photos.

The company claims to be storing a minimum of 10,200 customer records from the last three months but this is an exaggerated figure as some of the records were duplicated.

“The database stores the parent’s email address associated with TeenSafe, as well as their corresponding child’s Apple ID email address. It also includes the child’s device name — which is often just their name— and their device’s unique identifier. The data contains the plaintext passwords for the child’s Apple ID,” wrote ZDNet.

TeenSafe was previously in news for collecting huge amounts of data and for invading child’s privacy and now it is receiving severe backlash from security experts for failing to protect sensitive customer records. 

If you have ever used TeenSafe, keep an eye on your account and login credentials associated with it.

Image credit: Depositphotos

Uzair Amir

I am an Electronic Engineer, an Android Game Developer and a Tech writer. I am into music, snooker and my life motto is 'Do my best, so that I can't blame myself for anything.'