'TeenSafe' Phone Monitoring App Leaked Thousands of User Passwords

An anonymous reader quotes a report from ZDNet: At least one server used by an app for parents to monitor their teenagers' phone activity has leaked tens of thousands of accounts of both parents and children. The mobile app, TeenSafe, bills itself as a "secure" monitoring app for iOS and Android, which lets parents view their child's text messages and location, monitor who they're calling and when, access their web browsing history, and find out which apps they have installed. But the Los Angeles, Calif.-based company left its servers, hosted on Amazon's cloud, unprotected and accessible by anyone without a password.

"We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted," said a TeenSafe spokesperson told ZDNet on Sunday. The database stores the parent's email address associated with their associated child's Apple ID email address. It also includes the child's device name -- which is often just their name -- and their device's unique identifier. The data contains the plaintext passwords for the child's Apple ID. Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child's account to access their personal content data.

Absent legal penalties, this shit will persist.

Recently it seems every week we read about data "leaks" or data "breaches".

The government needs to step up and create both civil and criminal forms of punishment such that a strong incentive exists for responsible parties to do more toward preventing data from being exposed.

Of course things will still go wrong, but strong disincentives which provide for civil and / or criminal penalties should at least act to reduce such events.

As an aside, I remember a year or so ago, a person I know smugly told me that "WhatsApp" was a 100% secure means of communicating which could not be spied on. My reply was : "I doubt that will be true for long".

Re:Does Amazon Cloud default to no-security?

"Amazon Cloud" is vague. I couldn't find any mention in the article itself of what the security hole was of said AWS servers. It could be bad S3 permissions (AWS has actually sent customers Emails about this repeatedly), it could be passwordless accounts in SSH, it could be a MySQL server exposed publicly without authentication requirements, etc.. Lots of possibilities. It just says "two leaky servers", which isn't very precise.

In most cases, this all boils down to bad (or lack thereof) systems administration by the Amazon customer. If it's S3, Amazon has sent out Emails to all customers, multiple times, stressing the importance of proper S3 and IAM policies and to review said policies.

If it's EC2, SSH is open to the world by default (as it should be), and it's expected that the administrator lock it down (either through security groups or network ACLs); if you open up an Amazon technical support request (for anything!), they actually by habit review SGs and ACLs and will tell you "BTW, your servers have SSH open to the world, you should fix that" (sometimes it cannot be fixed, as some employees/etc. have roaming IPs).

If it's an RDS instance (ex. MySQL), then yes, the servers default to being publicly-accessible (it's a radio button you can toggle between private/VPC-only and public during the final stage of deployment); I agree "private" would be a better default.

That said: for whatever reason, security is rarely in the foregrounds of the minds of DevOps people today. For those of us that are "old beardo" UNIX SAs, it's the first thing that comes to mind when someone asks for something, and is often a reason we tell people "no you cannot have that".

That is a problem indeed. Also, break-ins happen

[raymorris]

> discourage hacking targets from coming forward, which is worse for everyone. Imagine if they treated banks like that after a stick-up or heist

That's certainly an issue. Sharing information is important, knowing what kinds of attacks are being done against which kind of targets, etc. Companies like Cisco Talos and Alert Logic are able to better protect customers by proactively taking action to protect customers A and B against the type of attacks currently coming at Company C.

    What we're just starting to see is cybersecurity being handled similarly to bank security and fire safety - insurance companies setting standards to avoid having a problem, ahead of time. Insurance companies are really, really good at managing risk, at determining through statistics and other means which safeguards will best reduce risk.

Businesses are penalized (via higher premiums) not afterwards for ending up a victim, but for being sloppy - before anything bad happens. Better protection means lower risk and lower premiums.

Disable Two Factor Authentication?!?!?

[Xylaan]

Any guess why they want you to disable 2FA? My best guess is they use this information to query Apple for information usually only available to the owner, such as Find My Phone. But either way, this seems beyond terrible.

In which case, is this software violating the Apple user agreement in some way? Or inducing the parents to do so?

Let me get this straight...

[SvnLyrBrto]

Spyware (Because that's what this is.) that requires you to specifically compromise your target by intentionally disabling security features; is, in turn, itself insecure? And people are shocked by this?

Sorry, but I really can't conjure up any sympathy here. This is not a case of someone just screwing up and getting pwned. This is an intentional and malicious attack (and a particularly stupid one at that) that just happened to backfire. Every bad thing that might happen... to either the company or the parents... is richly deserved.

Re:Let me get this straight...

[fafalone]

Sometimes I think a lot of adults forget what it's like being a teenager. By that age, it's what you've taught them that's going to determine what they do, not trying to force control on a device. They'll just use a friends device, or buy a cheap prepaid you won't know about, the minute they want to do something you have blocked on their own phone. More often than not I'd bet in encourages such rebellion; teens aren't fans of being blocked by force for something.
When I was in highschool there were filters against porn and some other stuff in the library; I found you could get around the filters by substituting the IP for the domain name. The whole grade knew within a week. So they fixed that, an hour later I found that if you entered the IP as a long (slashdot=216.105.38.15=3630769679), bypassed again, everyone knew within a week again. So they fixed that, used proxies. Fixed that, installed program to get around. Blocked all unknown exes, block was bypassed by using ShellExecute in VBA.
Teens and cell phones today are absolutely no different; at least one person they know will tell them how to bypass any security measure you take. And these spyware apps I can almost guarantee are doing more harm than good.

Parents that use this are utterly creepy

[gweihir]

Of course, being those creeps, they may do exactly the best thing to prepare their children for living in the upcoming surveillance state and soon-to-follow full-blown fascism. The leakage of the accounts is obviously part of that pedagogic concept. Hence I conclude that this is an absolutely great app that anybody should inflict on their children as soon as possible! Of course, in any self-respecting fascism, children also do surveillance (and denunciation to the authorities) of their parents. A business opportunity for, aehm, "Parentsafe"?

The ultimate tool for Helicopter Parenting

[Rick+Schumann]

Slightly off-topic, I know, but: It's sad and wrong that there is even such a thing as this 'app', regardless of how 'secure' it is. What ever happened to teaching your children the value of trust via example, by trusting them, and them respecting the trust put in them? Now you have parents installing what amounts to an ankle monitor like someone under house arrest is required to wear. How sad is that?