Thousands of Apple ID passwords leaked by teen security iOS app

App is an open door
Author:
Publish date:
download

In one of the cruelest ironies of the year, an app which claims to 'protect your most valuable treasure' has leaked the details of tens of thousands of accounts belonging to both parents and children.

As revealed by ZDNet, mobile app TeenSafe was storing the database on two servers hosted by Amazon Web Services where (and here's the kicker) it was unprotected and accessible without so much as a password.

The discovery was made by UK-based security researcher Robert Wiggins who spends his days searching for public and exposed data. Both servers, along with another that contains test data, were hoiked offline by TeenSafe when the California firm was alerted by ZDNet.

A spokesperson for the company confirmed the story and added that it was speaking to affected customers: "We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted."

You might be wondering what exactly was on those servers. Surely they wouldn't store email addresses and passwords together, unencrypted on a server without a password?

Well, it's even worse than you might have thought. The information on the exposed database included the email addresses of parents who used TeenSafe, the Apple ID email addresses of their children, and children's device name and unique identifier. There even were plaintext passwords for the kids' Apple IDs, flying in the face of the company which claims it uses encryption to protect customer data. This is because the app requires that two-factor authentication is turned off, meaning a malicious actor need only use the information on the server to access personal content. Fortunately, none of the records contained content data like photos and text messages that you'll never be able to understand. What 'just can't' she do? Why are there so many eggplant emojis?

While this is all pretty damning, TeenSafe has over a million customers and the database was apparently limited to 10,200, less than 0.02 per cent of the overall customer base. The company says that it will continue to address the situation and update customers as and when any more info is revealed.

Still, it might make parents think twice before signing up to one of these already controversial and privacy-invasive services.

Related