TeenSafe is a monitoring app on Android and iOS which allows parents to keep a track of their kids in order to keep them ‘safe’. Ironically, the app itself isn’t really safe to begin with. According to a recent report from ZDNet, TeenSafe has been hosting users’ Apple IDs and passwords on open servers which are not even protected by a password.
The controversial app allows parents to monitor their child’s text messages, location, call logs, and web browsing history. It had two such unprotected servers which were hosted on Amazon’s cloud service, and first discovered by security researcher Robert Wiggins. Wiggins revealed that just one of the servers had 10,200 records on a database, containing primary emails used to sign up to TeenSafe along with the associated teen or child user’s Apple ID email address.
The unprotected servers also recorded the device names, its unique identifiers, and the plaintext password for the child’s Apple ID. It’s worth noting that no content such as photos, messages, or location data was found on the servers.
TeenSafe has since closed one of the servers to the public after being alerted by ZDNet and has announced that it has “begun alerting customers that could potentially be impacted.” It remains unclear if the app has any other such unprotected servers containing additional data. TeenSafe claims to have over a million parents using the service and if there are any more such servers all of the users could in turn be affected by a data breach.