Slashdot Mirror

← Back to Stories (view on slashdot.org)

'TeenSafe' Phone Monitoring App Leaked Thousands of User Passwords (zdnet.com)

Posted by BeauHD on from the here-we-go-again dept.

An anonymous reader quotes a report from ZDNet: At least one server used by an app for parents to monitor their teenagers' phone activity has leaked tens of thousands of accounts of both parents and children. The mobile app, TeenSafe, bills itself as a "secure" monitoring app for iOS and Android, which lets parents view their child's text messages and location, monitor who they're calling and when, access their web browsing history, and find out which apps they have installed. But the Los Angeles, Calif.-based company left its servers, hosted on Amazon's cloud, unprotected and accessible by anyone without a password.

"We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted," said a TeenSafe spokesperson told ZDNet on Sunday. The database stores the parent's email address associated with their associated child's Apple ID email address. It also includes the child's device name -- which is often just their name -- and their device's unique identifier. The data contains the plaintext passwords for the child's Apple ID. Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child's account to access their personal content data.

44 comments

  1. Absent legal penalties, this shit will persist. by Anonymous Coward · · Score: 4, Insightful

    Recently it seems every week we read about data "leaks" or data "breaches".

    The government needs to step up and create both civil and criminal forms of punishment such that a strong incentive exists for responsible parties to do more toward preventing data from being exposed.

    Of course things will still go wrong, but strong disincentives which provide for civil and / or criminal penalties should at least act to reduce such events.

    As an aside, I remember a year or so ago, a person I know smugly told me that "WhatsApp" was a 100% secure means of communicating which could not be spied on. My reply was : "I doubt that will be true for long".

    1. Re:Absent legal penalties, this shit will persist. by reboot246 · · Score: 1

      It seems to me that we have some fairly secure hardware and software systems available, but most people are too stupid to know how to use them properly.

      I agree, though, civil and/or criminal penalties may get their attention.

    2. Re:Absent legal penalties, this shit will persist. by Anonymous Coward · · Score: 0

      Parenting via legislation. BRILLIANT!

      This happened because a certain type of overbearing parent just had to insert themselves in the private lives of their kids without having to, you know, treat them like human beings and have adult conversations.

  2. Does Amazon Cloud default to no-security? by Anonymous Coward · · Score: 1

    Given the many incidents involving data exposed on Amazon Cloud, is there an issue with the Amazon Cloud defaults?

    1. Re:Does Amazon Cloud default to no-security? by Anonymous Coward · · Score: 2, Interesting

      "Amazon Cloud" is vague. I couldn't find any mention in the article itself of what the security hole was of said AWS servers. It could be bad S3 permissions (AWS has actually sent customers Emails about this repeatedly), it could be passwordless accounts in SSH, it could be a MySQL server exposed publicly without authentication requirements, etc.. Lots of possibilities. It just says "two leaky servers", which isn't very precise.

      In most cases, this all boils down to bad (or lack thereof) systems administration by the Amazon customer. If it's S3, Amazon has sent out Emails to all customers, multiple times, stressing the importance of proper S3 and IAM policies and to review said policies.

      If it's EC2, SSH is open to the world by default (as it should be), and it's expected that the administrator lock it down (either through security groups or network ACLs); if you open up an Amazon technical support request (for anything!), they actually by habit review SGs and ACLs and will tell you "BTW, your servers have SSH open to the world, you should fix that" (sometimes it cannot be fixed, as some employees/etc. have roaming IPs).

      If it's an RDS instance (ex. MySQL), then yes, the servers default to being publicly-accessible (it's a radio button you can toggle between private/VPC-only and public during the final stage of deployment); I agree "private" would be a better default.

      That said: for whatever reason, security is rarely in the foregrounds of the minds of DevOps people today. For those of us that are "old beardo" UNIX SAs, it's the first thing that comes to mind when someone asks for something, and is often a reason we tell people "no you cannot have that".

    2. Re:Does Amazon Cloud default to no-security? by bobstreo · · Score: 1

      "Amazon Cloud" is vague. I couldn't find any mention in the article itself of what the security hole was of said AWS servers. It could be bad S3 permissions (AWS has actually sent customers Emails about this repeatedly), it could be passwordless accounts in SSH, it could be a MySQL server exposed publicly without authentication requirements, etc.. Lots of possibilities. It just says "two leaky servers", which isn't very precise.

      In most cases, this all boils down to bad (or lack thereof) systems administration by the Amazon customer. If it's S3, Amazon has sent out Emails to all customers, multiple times, stressing the importance of proper S3 and IAM policies and to review said policies.

      If it's EC2, SSH is open to the world by default (as it should be), and it's expected that the administrator lock it down (either through security groups or network ACLs); if you open up an Amazon technical support request (for anything!), they actually by habit review SGs and ACLs and will tell you "BTW, your servers have SSH open to the world, you should fix that" (sometimes it cannot be fixed, as some employees/etc. have roaming IPs).

      If it's an RDS instance (ex. MySQL), then yes, the servers default to being publicly-accessible (it's a radio button you can toggle between private/VPC-only and public during the final stage of deployment); I agree "private" would be a better default.

      That said: for whatever reason, security is rarely in the foregrounds of the minds of DevOps people today. For those of us that are "old beardo" UNIX SAs, it's the first thing that comes to mind when someone asks for something, and is often a reason we tell people "no you cannot have that".

      And if you pay someone to regularly do security scans, or do your own on "Cloud" instances, you should probably consider just getting an MBA so you can't do more harm in the future. /s

    3. Re:Does Amazon Cloud default to no-security? by Anonymous Coward · · Score: 0

      Given the many incidents involving data exposed on Amazon Cloud, is there an issue with the Amazon Cloud defaults?

      It depends upon what you think Amazon is selling. My impression was that Amazon was selling compute time and storage space on their network to customers who know or ought to know what they are doing. To use the favored car analogy, is it the problem of Ford, Honda, Toyota or any other car maker that some of the people who buy their products are bad drivers? Who is responsible for good driving? Is the manufacturer or the end user? Similar principle at work here. Who is responsible for security? I would argue that those building services on top of the Amazon platform are responsible for making their own products and services secure. Incidentally, this is why users should never really trust companies that use cloud computing with sensitive information if they can possibly help it. Security is hard to do well and it's expensive to get right. Consequently most developers are bad at it and most companies don't want to pay for it. I find that it helps to keep these two facts in mind and act accordingly when deciding which services I'm going to use and which services I'm not going to use and what information, if any, I'm going to provide to them.

    4. Re:Does Amazon Cloud default to no-security? by sound+vision · · Score: 1

      No, TeenSpy just turned out to be a double agent.

    5. Re:Does Amazon Cloud default to no-security? by Anonymous Coward · · Score: 0

      The default is no access form outside at all.

    6. Re:Does Amazon Cloud default to no-security? by Anonymous Coward · · Score: 0

      Thank you very much for the detailed explanation. Sounds like several of the checks mentioned in this post could be automated. If the product is marketed by Amazon as being very easy to use, and the defaults are poorly designed, and Amazon doesn't do automatic security checking, then they are setting themselves up for always being blamed when things go wrong.

  3. Only apps can app apps! by Anonymous Coward · · Score: 0

    Apps!

  4. Re: Absent legal penalties, this shit will persist by Hallux-F-Sinister · · Score: 1

    Really? Know what else happened this week? A volcano in Hawaii destroyed some homes and cars, and an asshole in Texas tried to murder roughly two dozen people, successfully killed about half of his intended victims. Consider laws against both of these events. In the case of a volcano, you can outlaw them all you like, volcanoes dont give a fuq. Murder perpetrated by a human, OTOH, was outlawed... the penalties are pretty severe and the living breathing bag of human excrement responsible in this case will probably never walk free again, since heâ(TM)s looking at 400 years in the electric chair, probably he knew that, and fuck all hell, he did it anyway. The all-stick, no-carrot approach is not a panacea for all the challenges facing our society. Maybe proving expert guidance on how to set up a password protected system because the way things are now, I think every tech company is out for itself, going it alone, and THAT could be part of the problem.

    --
    Our reign has gone on long enough. Indeed. Summon the meteors.
  5. Re: Absent legal penalties, this shit will persis by Hallux-F-Sinister · · Score: 1

    Sorry... replying on slashdot on an iPad using Safari, it doesnt offer a preview link...

    Maybe PROVIDING expert guidance, I was saying, might be helpful, more than threatening people in the event of a breach. Also, providing criminal penalties will only discourage hacking targets from coming forward, which is worse for everyone. Imagine if they treated banks like that after a stick-up or heist. Blaming the victim like this... shit... I wonder if that is how rape victims feel...

    --
    Our reign has gone on long enough. Indeed. Summon the meteors.
  6. That is a problem indeed. Also, break-ins happen by raymorris · · Score: 2

    > discourage hacking targets from coming forward, which is worse for everyone. Imagine if they treated banks like that after a stick-up or heist

    That's certainly an issue. Sharing information is important, knowing what kinds of attacks are being done against which kind of targets, etc. Companies like Cisco Talos and Alert Logic are able to better protect customers by proactively taking action to protect customers A and B against the type of attacks currently coming at Company C.

        What we're just starting to see is cybersecurity being handled similarly to bank security and fire safety - insurance companies setting standards to avoid having a problem, ahead of time. Insurance companies are really, really good at managing risk, at determining through statistics and other means which safeguards will best reduce risk.

    Businesses are penalized (via higher premiums) not afterwards for ending up a victim, but for being sloppy - before anything bad happens. Better protection means lower risk and lower premiums.

  7. American Irony by Anonymous Coward · · Score: 0

    ... app requires that two-factor authentication is turned off ...

    The applet to keep children safe, demands less safety for children. The USA has its own style of irony. What it really means is, the start-up wasn't designed to protect precious snowflakes, it was designed to encourage neurotic/overworked parents to spend money. The lack of corporate responsibility in the USA ensures these fuck-ups will occur again.

  8. Disable Two Factor Authentication?!?!? by Xylaan · · Score: 2

    Any guess why they want you to disable 2FA? My best guess is they use this information to query Apple for information usually only available to the owner, such as Find My Phone. But either way, this seems beyond terrible.

    In which case, is this software violating the Apple user agreement in some way? Or inducing the parents to do so?

  9. Let me get this straight... by SvnLyrBrto · · Score: 4, Insightful

    Spyware (Because that's what this is.) that requires you to specifically compromise your target by intentionally disabling security features; is, in turn, itself insecure? And people are shocked by this?

    Sorry, but I really can't conjure up any sympathy here. This is not a case of someone just screwing up and getting pwned. This is an intentional and malicious attack (and a particularly stupid one at that) that just happened to backfire. Every bad thing that might happen... to either the company or the parents... is richly deserved.

    --
    Imagine all the people...
    1. Re:Let me get this straight... by bug_hunter · · Score: 1

      Well it was the unprotected amazon cloud server that released the information - the fact that the software is intrusive was not to blame for this breach.

      I don't necessarily think everything bad that might happen is richly deserved, I'm not a big fan of spying on kids, but there's little options when you want to give your child the ability to call in an emergency and text friends and not do absolutely everything else possible on a smart device.

      --
      It's turtles all the way down.
    2. Re:Let me get this straight... by fafalone · · Score: 2

      Sometimes I think a lot of adults forget what it's like being a teenager. By that age, it's what you've taught them that's going to determine what they do, not trying to force control on a device. They'll just use a friends device, or buy a cheap prepaid you won't know about, the minute they want to do something you have blocked on their own phone. More often than not I'd bet in encourages such rebellion; teens aren't fans of being blocked by force for something.
      When I was in highschool there were filters against porn and some other stuff in the library; I found you could get around the filters by substituting the IP for the domain name. The whole grade knew within a week. So they fixed that, an hour later I found that if you entered the IP as a long (slashdot=216.105.38.15=3630769679), bypassed again, everyone knew within a week again. So they fixed that, used proxies. Fixed that, installed program to get around. Blocked all unknown exes, block was bypassed by using ShellExecute in VBA.
      Teens and cell phones today are absolutely no different; at least one person they know will tell them how to bypass any security measure you take. And these spyware apps I can almost guarantee are doing more harm than good.

    3. Re:Let me get this straight... by rjstanford · · Score: 1

      Yeah. On the one hand you have the sum total of our state-of-the-art security systems. On the other you have the raging hormones of a typical 14 year old. I know where I'm placing my bet in that fight...

      --
      You're special forces then? That's great! I just love your olympics!
    4. Re:Let me get this straight... by nitehawk214 · · Score: 1

      Wtf, I did not know you could enter an ip address as a long until now.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    5. Re:Let me get this straight... by Anonymous Coward · · Score: 0

      Wtf, I did not know you could enter an ip address as a long [3630769679] until now.

      Most TCP stacks allow for this seeing as an IP is just 4 bytes, aka an unsigned long.

      You can also convert the long integer into hex and prefix it with a 0x which will work just the same.
      slashdot.org = 3630769679 = 0xD869260F = https://0xd869260f/

    6. Re:Let me get this straight... by sjames · · Score: 1

      Then feel sympathy for the teens. They weren't likely given much choice here.

    7. Re:Let me get this straight... by fafalone · · Score: 1

      And that was just to get around some dumb web filter. Our cell phones didn't have cameras when I was in highschool, but imagine if some girl in my class told me to snap her or something? Whatever app block was on that phone would be useless before the day ended, and the next day all the people asking the nerd how to do it would be informed too.

    8. Re:Let me get this straight... by SvnLyrBrto · · Score: 1

      Well, that depends. What is the parent's goal?

      Is it to raise a teen to be a safe and responsible internet/smartphone/computer/technology-in-general user? Then they should be taught good information security habits as early as possible; starting with proper password discipline beginning with: "Never, but NEVER give your password to anyone under any circumstances."; continuing along to how important 2-factor and encryption are;, and including malware avoidance and removal. Seriously... we already entrust a huge portion of our lives to our computers and cell phones. And the value of that data is going to do nothing but increase. Good infosec habits are a damn valuable lesson that will do a child much more good than... well... What lesson DOES it teach when you force spyware upon them?

      And then there's the other possible parental goal in play here: Feeding their own ego by exerting power against someone who is in no position to resist. These are contemptible creatures. And I really must disagree with your professed leniency towards them.

      I suppose there's a third possibility in that some parents might place the spyware on their teens' phones as a lesson; and the ones who discover and remove it are rewarded. But that seems a somewhat ad hoc and suboptimal way to get the point across.

      --
      Imagine all the people...
  10. Defaults. Amazon chooses the defaults by raymorris · · Score: 1

    Much of what you said is true, but Amazon chooses the defaults. Amazon chose the defaults before the customer even logged in, so Amazon's choice of default settings can't possibly be the customer's responsibility.

    If a customer changes a setting, that's almost 100% on the customer (if it's even sane to offer the option, it's clear what the option does, etc.)

    I do security for a living, focused on securing AWS instances. I've been doing security for a living for 20 years. So I'm a tad familiar with security concepts. A few nights ago, I was working late because a co-worker couldn't figure out how to do their work and I had to do it for them. I spun up an EC instance and because I was tired I missed changing the default for the security group.

    The average time to I infection for a Windows AWS instance exposed to the Internet is MINUTES, and that's Amazon's default - RDP open to the world. Not just to the IP that set it up, not just your country even, but open to everyone. Sure enough within a few minutes someone on Amazon's "known attacker IPs" list owned the machine. Amazon KNOWS those IPs are attackers, they have them in a list, yet by default they give even known attackers access to every new server. That's a bad default, imho.

    1. Re:Defaults. Amazon chooses the defaults by rjstanford · · Score: 1

      In this case its even starker - Amazon offers hosted SQL databases that are inherently quite secure. If you choose to ignore that offering and instead install your own DB onto an exposed instance, that's your own damn fault and you're on your own.

      --
      You're special forces then? That's great! I just love your olympics!
    2. Re:Defaults. Amazon chooses the defaults by sjames · · Score: 1

      Think of AWS as no contract automated server rental. They have no idea what you'll be doing with the server or how sensitive your data might be. Only you can make those determinations.

      As for Windows, what you say is true of Windows ANYWHERE. That's MS's default.

  11. Re: Absent legal penalties, this shit will persis by Anonymous Coward · · Score: 0

    Sorry... replying on slashdot on an iPad using Safari, it doesnt offer a preview link...

    It also leads one to wonder whether the poster is of intelligence sufficient to figure out how to bypass the lame-as-hell mobile site. C'mon, it's NOT hard, people.

  12. Re: Absent legal penalties, this shit will persist by Anonymous Coward · · Score: 0

    So... Because some people will still break the law you are suggesting we shouldn't have any punishments for breaking any laws?

  13. Hmmm... by Anonymous Coward · · Score: 0

    "TeenSafe" ... "secure" .... "plain-text passwords" ....

    Hmmmmmmmmmmmmmmmmmm

  14. Parents that use this are utterly creepy by gweihir · · Score: 2

    Of course, being those creeps, they may do exactly the best thing to prepare their children for living in the upcoming surveillance state and soon-to-follow full-blown fascism. The leakage of the accounts is obviously part of that pedagogic concept. Hence I conclude that this is an absolutely great app that anybody should inflict on their children as soon as possible! Of course, in any self-respecting fascism, children also do surveillance (and denunciation to the authorities) of their parents. A business opportunity for, aehm, "Parentsafe"?

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Parents that use this are utterly creepy by Voyager529 · · Score: 1

      Of course, being those creeps, they may do exactly the best thing to prepare their children for living in the upcoming surveillance state and soon-to-follow full-blown fascism. The leakage of the accounts is obviously part of that pedagogic concept. Hence I conclude that this is an absolutely great app that anybody should inflict on their children as soon as possible! Of course, in any self-respecting fascism, children also do surveillance (and denunciation to the authorities) of their parents. A business opportunity for, aehm, "Parentsafe"?

      To be fair here, there are a number of concepts to which a teenager's right to privacy comes in second place:

      1. Unless it's a prepaid phone, the parent is paying the bill - and, in the majority of cases, probably paid for the phone, too. If it's the parent's phone and the parent's service, being able to monitor what's going on isn't all that unreasonable. If a teen has purchased their own phone and their own service with their own money, sure, that's a bit different...but a parent monitoring the phone and service they pay for doesn't seem unreasonable.

      2. There can be situations where a parent can be held liable,or de facto liable, for a child's actions. It's not outright facism if the parent is potentially the one who will have to lawyer up.

      3. Like everything else, there is room for responsible use and misuse. A parent may well require the software to be installed on the phone, but never look at it until there is, 'probable cause'. It's not an invasion of privacy to ensure a valid trail of evidence is secured, especially when, once again, the parent may well be called into the superintendent's office to have "a conversation".

      4. Placing value on the fourth amendment is, like most other things, something that is both taught and learned. A whole generation has basically been brought up with the "nothing to hide" idea, from parents who aren't of the persuasion that privacy matters. A parent who is going to summarily go through a teen's phone because they feel like it isn't the sort of parent who will either teach or model a "do you have probable cause" argument at home.

      5. Security cameras are *everywhere*. They cover every square inch of a school, school bus, Starbucks, library, amusement park, restaurant, and at least half the homes children live in. Gen-Z is already living in a world where it's impossible to avoid being surveilled. If the parents aren't doing it, Aunt Google and Uncle Facebook are.

      It's the type of software that can be effectively used by responsible parents and abused by irresponsible ones, but responsible parents don't suddenly become irresponsible because of a cell phone app.

  15. Re: Absent legal penalties, this shit will persis by Anonymous Coward · · Score: 0

    Yes, it would be great if there was a "security standard" that all these companies implemented. The word "secure" is currently a makerting term and nothing more. It's a "We know our systems are secure!" The problem is that they know so little... probably less than the user.

    I am sure there are certifications and such but the media should be out there educating the public. "This company said they were secure, but they didn't have any certification, not even SP112, on their Amazon cloud server."

    That will get people talking about those kinds of certifications like people notice with the sweat/rain/shower/pool proofing of their phones. It's not going to make us totally safe, but at least set a low bar. Right now it is a free for all.

  16. Safe? by drinkypoo · · Score: 1

    Noun
            S: (n) safe (strongbox where valuables can be safely kept)
            S: (n) safe (a ventilated or refrigerated cupboard for securing provisions from pests)

    It's a collection of children, all in one convenient location. Nice work, TeenSafe. Great name, by the way. You had one job...

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  17. parents data getting leaked? by Anonymous Coward · · Score: 0

    honestly I do not understand parents who do this

    yes kids do stupid shit. I remember the stupid shit I did.

    let them do stupid shit AND GET IN TROUBLE FOR IT.

    this is honestly kind of ironic no?

    they sort of deserve it.

  18. Good thing by Anonymous Coward · · Score: 0

    Good thing being incompetent isn't illegal or someone would have to pay for this.

  19. You can't stop the hackers by Anonymous Coward · · Score: 0

    If the best companies in the world have fallen to hackers, be it Sony, Equifax, and even the US government, then why should a small company whose job it is to protect kids be able to handle what nation-states cannot?

    The bad guys can get into anything these days. It isn't their fault, and most companies cannot afford security. Plus, security has no return anyway, so a company with security will be left in the dust by the competition that doesn't bother.

  20. The ultimate tool for Helicopter Parenting by Rick+Schumann · · Score: 2

    Slightly off-topic, I know, but: It's sad and wrong that there is even such a thing as this 'app', regardless of how 'secure' it is. What ever happened to teaching your children the value of trust via example, by trusting them, and them respecting the trust put in them? Now you have parents installing what amounts to an ankle monitor like someone under house arrest is required to wear. How sad is that?

  21. With 14 drive partitions by raymorris · · Score: 1

    > They have no idea what you'll be doing with the server

    Yeah they don't know, maybe whatever you're doing would benefit from having 14 partitions on the drive. They don't do that by default, because 99.999% of the time that would be stupid.

    Their default security groups are stupid for 99.999% of users.

    1. Re:With 14 drive partitions by sjames · · Score: 1

      Their defaults are designed to keep 99.999% of their users from pestering them for support so they don't have to charge more to be profitable. If you need managed servers, pay somebody more so they can get your instance set up for you.

  22. Re: Absent legal penalties, this shit will persist by Anonymous Coward · · Score: 0

    We are talking about legislation for data breaches. Grown up stuff. Nothing to do with overbearing parents. Do try to keep up. What's that? You can't? Because you have an agenda, that's why.