Slashdot Mirror
'TeenSafe' Phone Monitoring App Leaked Thousands of User Passwords (zdnet.com)
An anonymous reader quotes a report from ZDNet: At least one server used by an app for parents to monitor their teenagers' phone activity has leaked tens of thousands of accounts of both parents and children. The mobile app, TeenSafe, bills itself as a "secure" monitoring app for iOS and Android, which lets parents view their child's text messages and location, monitor who they're calling and when, access their web browsing history, and find out which apps they have installed. But the Los Angeles, Calif.-based company left its servers, hosted on Amazon's cloud, unprotected and accessible by anyone without a password.
"We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted," said a TeenSafe spokesperson told ZDNet on Sunday. The database stores the parent's email address associated with their associated child's Apple ID email address. It also includes the child's device name -- which is often just their name -- and their device's unique identifier. The data contains the plaintext passwords for the child's Apple ID. Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child's account to access their personal content data.
"We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted," said a TeenSafe spokesperson told ZDNet on Sunday. The database stores the parent's email address associated with their associated child's Apple ID email address. It also includes the child's device name -- which is often just their name -- and their device's unique identifier. The data contains the plaintext passwords for the child's Apple ID. Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child's account to access their personal content data.
Recently it seems every week we read about data "leaks" or data "breaches".
The government needs to step up and create both civil and criminal forms of punishment such that a strong incentive exists for responsible parties to do more toward preventing data from being exposed.
Of course things will still go wrong, but strong disincentives which provide for civil and / or criminal penalties should at least act to reduce such events.
As an aside, I remember a year or so ago, a person I know smugly told me that "WhatsApp" was a 100% secure means of communicating which could not be spied on. My reply was : "I doubt that will be true for long".
Spyware (Because that's what this is.) that requires you to specifically compromise your target by intentionally disabling security features; is, in turn, itself insecure? And people are shocked by this?
Sorry, but I really can't conjure up any sympathy here. This is not a case of someone just screwing up and getting pwned. This is an intentional and malicious attack (and a particularly stupid one at that) that just happened to backfire. Every bad thing that might happen... to either the company or the parents... is richly deserved.
Imagine all the people...