Slashdot Mirror
'TeenSafe' Phone Monitoring App Leaked Thousands of User Passwords (zdnet.com)
An anonymous reader quotes a report from ZDNet: At least one server used by an app for parents to monitor their teenagers' phone activity has leaked tens of thousands of accounts of both parents and children. The mobile app, TeenSafe, bills itself as a "secure" monitoring app for iOS and Android, which lets parents view their child's text messages and location, monitor who they're calling and when, access their web browsing history, and find out which apps they have installed. But the Los Angeles, Calif.-based company left its servers, hosted on Amazon's cloud, unprotected and accessible by anyone without a password.
"We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted," said a TeenSafe spokesperson told ZDNet on Sunday. The database stores the parent's email address associated with their associated child's Apple ID email address. It also includes the child's device name -- which is often just their name -- and their device's unique identifier. The data contains the plaintext passwords for the child's Apple ID. Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child's account to access their personal content data.
"We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted," said a TeenSafe spokesperson told ZDNet on Sunday. The database stores the parent's email address associated with their associated child's Apple ID email address. It also includes the child's device name -- which is often just their name -- and their device's unique identifier. The data contains the plaintext passwords for the child's Apple ID. Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child's account to access their personal content data.
"Amazon Cloud" is vague. I couldn't find any mention in the article itself of what the security hole was of said AWS servers. It could be bad S3 permissions (AWS has actually sent customers Emails about this repeatedly), it could be passwordless accounts in SSH, it could be a MySQL server exposed publicly without authentication requirements, etc.. Lots of possibilities. It just says "two leaky servers", which isn't very precise.
In most cases, this all boils down to bad (or lack thereof) systems administration by the Amazon customer. If it's S3, Amazon has sent out Emails to all customers, multiple times, stressing the importance of proper S3 and IAM policies and to review said policies.
If it's EC2, SSH is open to the world by default (as it should be), and it's expected that the administrator lock it down (either through security groups or network ACLs); if you open up an Amazon technical support request (for anything!), they actually by habit review SGs and ACLs and will tell you "BTW, your servers have SSH open to the world, you should fix that" (sometimes it cannot be fixed, as some employees/etc. have roaming IPs).
If it's an RDS instance (ex. MySQL), then yes, the servers default to being publicly-accessible (it's a radio button you can toggle between private/VPC-only and public during the final stage of deployment); I agree "private" would be a better default.
That said: for whatever reason, security is rarely in the foregrounds of the minds of DevOps people today. For those of us that are "old beardo" UNIX SAs, it's the first thing that comes to mind when someone asks for something, and is often a reason we tell people "no you cannot have that".