TeenSafe app exposes data on more than 10K accounts
TeenSafe app exposes data on more than 10K accounts

Parents probably don't appreciate the irony – the TeenSafe app they use to monitor their children's devices instead has left personal information exposed after a server affiliated with the app and hosted on AWS was left open to the public.

This enabled anyone who ran across the server could access Apple IDs, user ID and passwords stored in plaintext.

“It is absolutely shocking that a company that promotes security and protecting your most valuable assets, your children, have completely left sensitive data unsecured available to cybercriminals who will abuse it,” said Joseph Carson, chief security scientist at Thycotic. “It might be time for TeenSafe to change their tagline to ‘TeenSafe, built by parents who have no idea about security and for parents who don't care about security.'”

Parents use the app to monitor their children's web browser history, location data, third-party apps, text messages and the like. The app touts its security measures, including encryption, but requires that parents turn off two-factor authentication to use it, leaving sensitive information vulnerable to an attacker. “The ironic thing is that they require two-factor authentication to be turned off (yes turned OFF) and that they store passwords in clear text,” said Carson. “It's surprising that companies still do such irresponsible actions against cybersecurity best practices.” 

Carson warned that “passwords should never be left exposed and you should never turn off two-factor authentication for such apps.” Instead, he advised, “communicate more with your children so you do not have to spy on them.”    

Calling the TeenSafe fail “a result of poor judgment and bad security processes,” Chris Morales, head of security analytics at Vectra, called the company “irresponsible” for storing parental email addressed “associated with their corresponding child's Apple ID email address, the child's device name, unique identifier and plaintext passwords for the child's Apple ID in the cloud without proper security controls.”

Rishi Bhargava, co-founder at Demisto, called clear text passwords “evil” and said there isn't a good reason “to store any password in a database without encryption. There are so many open source libraries to do basic encryption that encrypting passwords is not additional work at all.”

The exposed server, which compromised the data of 10,200 accounts, along with a second server was discovered by security researcher Robert Wiggins, who is based in the U.K., according to a report by ZDNet. Open servers in the cloud have become increasingly common much to the glee of bad actors. “Properly configuring AWS for security requires a new set of skills and understanding of how to manage cloud resources,” said Sanjay Kalra, co-founder and Chief Product Officer at Lacework. “It is unfortunately too easy to overlook the configuration of AWS resources such as S3 buckets where data is often stored. Hackers have discovered that many organizations have left these buckets open to public access."

Morales noted, “cloud is a shared responsibility and as a provider of a cloud service” and “TeenSafe is responsible for securing their customer's information in the cloud. Even if this server was on-premises at TeenSafe within their perimeter security controls, this type of data should be secured with encryption and administrative access controls.”

Mukul Kumar, Chief Information Security Officer and VP of Cyber Practice at Cavirin, a Santa Clara, Calif.-based provider of cybersecurity risk posture and compliance for the enterprise hybrid cloud:

“Under the shared responsibility model, said Mukul Kumar, CISO and vice president of cyber practice at Cavirin, “TeenSafe has the responsibility to protect the data, but their IT team obviously didn't uphold their part of the (shared responsibility) bargain.”

But cloud providers, even those like Amazon that pros said offer security, “probably need to do more, and in fact they are moving in this direction, to protect the cloud assets of organizations with little or no expertise,” said Kumar. 

“When spinning up on EC2 instance and S3 storage bucket is almost as easy as learning how to ride a bike, the providers need to implement process checks that take into account little or no cloud knowledge,” he said. “Parents deploying these types of applications also need to better understand the nuances of these applications, but we know that won't happen.”

TeenSafe should count itself lucky the lapse in security and privacy was discovered before the GDPR requirements take effect later this week. “With only 4 days until the EU GDPR is enforced, TeenSafe appears to have been lucky with the timing of this incident,” said Carson. “However, I'm sure it might not be the last we hear about how this impacts EU citizens data which should make May 26 (the day after the GDPR compliance deadline) an interesting day related to this particular data breach.”