TeenSafe Parent Phone Monitoring App Alarmingly Leaked Thousands Of Apple IDs And Passwords


An app designed to help parents spy on monitor their teenager's mobile phone activities has come under additional scrutiny for leaking account information of tens of thousands of parents and children.

The app is called TeenSafe and it allows parents to look over their child's shoulder, at least as it pertains to their cell phone use. Using the app, parents can view sent and received SMS and iMessage texts, including ones that have been deleted; look at call logs of incoming and outgoing calls with the contact name, number, date, and duration of the call; view the phone's web browser history; and track a child's location, along with see a history of places they have been. On Android devices, it also allows parents to see which apps their children have installed.

Some might view that level of monitoring as controversial in and of itself and an invasion of privacy, though that's a topic for another day. What's concerning in the moment is that it leaked so much data through at least one of the servers it uses on Amazon's cloud, which the company left unprotected. That means anyone could access the server and view certain data without having to input a password.

The data that was visible included email addresses belonging to parents who registered the app, and Apple ID email addresses of the phones they were tracking. It also included the device names (often the child's name), unique indentifiers of devices being monitored, and Apple ID passwords in plaintext. What makes that latter bit even worse that the app requires users to turn off two-factor authentication, leaving devices vulnerable to spying by malicious agents who might have peeked at the server data.

"We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted," a TeenSafe spokesperson told ZDNet.

Before the company disabled the server, there were more than 10,000 user records from the past three months. Some of them were duplicates though. There was also a second server that was unprotected, however it only appears it stored test data and not any additional user records.