Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy Cellphones Security Software Technology

'TeenSafe' Phone Monitoring App Leaked Thousands of User Passwords (zdnet.com) 44

An anonymous reader quotes a report from ZDNet: At least one server used by an app for parents to monitor their teenagers' phone activity has leaked tens of thousands of accounts of both parents and children. The mobile app, TeenSafe, bills itself as a "secure" monitoring app for iOS and Android, which lets parents view their child's text messages and location, monitor who they're calling and when, access their web browsing history, and find out which apps they have installed. But the Los Angeles, Calif.-based company left its servers, hosted on Amazon's cloud, unprotected and accessible by anyone without a password.

"We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted," said a TeenSafe spokesperson told ZDNet on Sunday. The database stores the parent's email address associated with their associated child's Apple ID email address. It also includes the child's device name -- which is often just their name -- and their device's unique identifier. The data contains the plaintext passwords for the child's Apple ID. Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child's account to access their personal content data.

This discussion has been archived. No new comments can be posted.

'TeenSafe' Phone Monitoring App Leaked Thousands of User Passwords

Comments Filter:
  • by Anonymous Coward on Sunday May 20, 2018 @06:41PM (#56644254)

    Recently it seems every week we read about data "leaks" or data "breaches".

    The government needs to step up and create both civil and criminal forms of punishment such that a strong incentive exists for responsible parties to do more toward preventing data from being exposed.

    Of course things will still go wrong, but strong disincentives which provide for civil and / or criminal penalties should at least act to reduce such events.

    As an aside, I remember a year or so ago, a person I know smugly told me that "WhatsApp" was a 100% secure means of communicating which could not be spied on. My reply was : "I doubt that will be true for long".

    • It seems to me that we have some fairly secure hardware and software systems available, but most people are too stupid to know how to use them properly.

      I agree, though, civil and/or criminal penalties may get their attention.
    • Really? Know what else happened this week? A volcano in Hawaii destroyed some homes and cars, and an asshole in Texas tried to murder roughly two dozen people, successfully killed about half of his intended victims. Consider laws against both of these events. In the case of a volcano, you can outlaw them all you like, volcanoes dont give a fuq. Murder perpetrated by a human, OTOH, was outlawed... the penalties are pretty severe and the living breathing bag of human excrement responsible in this case wi
      • Sorry... replying on slashdot on an iPad using Safari, it doesnt offer a preview link...

        Maybe PROVIDING expert guidance, I was saying, might be helpful, more than threatening people in the event of a breach. Also, providing criminal penalties will only discourage hacking targets from coming forward, which is worse for everyone. Imagine if they treated banks like that after a stick-up or heist. Blaming the victim like this... shit... I wonder if that is how rape victims feel...
        • > discourage hacking targets from coming forward, which is worse for everyone. Imagine if they treated banks like that after a stick-up or heist

          That's certainly an issue. Sharing information is important, knowing what kinds of attacks are being done against which kind of targets, etc. Companies like Cisco Talos and Alert Logic are able to better protect customers by proactively taking action to protect customers A and B against the type of attacks currently coming at Company C.

          What we're j

  • by Anonymous Coward
    Given the many incidents involving data exposed on Amazon Cloud, is there an issue with the Amazon Cloud defaults?
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      "Amazon Cloud" is vague. I couldn't find any mention in the article itself of what the security hole was of said AWS servers. It could be bad S3 permissions (AWS has actually sent customers Emails about this repeatedly), it could be passwordless accounts in SSH, it could be a MySQL server exposed publicly without authentication requirements, etc.. Lots of possibilities. It just says "two leaky servers", which isn't very precise.

      In most cases, this all boils down to bad (or lack thereof) systems administr

      • "Amazon Cloud" is vague. I couldn't find any mention in the article itself of what the security hole was of said AWS servers. It could be bad S3 permissions (AWS has actually sent customers Emails about this repeatedly), it could be passwordless accounts in SSH, it could be a MySQL server exposed publicly without authentication requirements, etc.. Lots of possibilities. It just says "two leaky servers", which isn't very precise.

        In most cases, this all boils down to bad (or lack thereof) systems administration by the Amazon customer. If it's S3, Amazon has sent out Emails to all customers, multiple times, stressing the importance of proper S3 and IAM policies and to review said policies.

        If it's EC2, SSH is open to the world by default (as it should be), and it's expected that the administrator lock it down (either through security groups or network ACLs); if you open up an Amazon technical support request (for anything!), they actually by habit review SGs and ACLs and will tell you "BTW, your servers have SSH open to the world, you should fix that" (sometimes it cannot be fixed, as some employees/etc. have roaming IPs).

        If it's an RDS instance (ex. MySQL), then yes, the servers default to being publicly-accessible (it's a radio button you can toggle between private/VPC-only and public during the final stage of deployment); I agree "private" would be a better default.

        That said: for whatever reason, security is rarely in the foregrounds of the minds of DevOps people today. For those of us that are "old beardo" UNIX SAs, it's the first thing that comes to mind when someone asks for something, and is often a reason we tell people "no you cannot have that".

        And if you pay someone to regularly do security scans, or do your own on "Cloud" instances, you should probably consider just getting an MBA so you can't do more harm in the future. /s

    • No, TeenSpy just turned out to be a double agent.
  • by Xylaan ( 795464 ) on Monday May 21, 2018 @12:20AM (#56645308)
    Any guess why they want you to disable 2FA? My best guess is they use this information to query Apple for information usually only available to the owner, such as Find My Phone. But either way, this seems beyond terrible.

    In which case, is this software violating the Apple user agreement in some way? Or inducing the parents to do so?
  • by SvnLyrBrto ( 62138 ) on Monday May 21, 2018 @12:40AM (#56645384)

    Spyware (Because that's what this is.) that requires you to specifically compromise your target by intentionally disabling security features; is, in turn, itself insecure? And people are shocked by this?

    Sorry, but I really can't conjure up any sympathy here. This is not a case of someone just screwing up and getting pwned. This is an intentional and malicious attack (and a particularly stupid one at that) that just happened to backfire. Every bad thing that might happen... to either the company or the parents... is richly deserved.

    • Well it was the unprotected amazon cloud server that released the information - the fact that the software is intrusive was not to blame for this breach.

      I don't necessarily think everything bad that might happen is richly deserved, I'm not a big fan of spying on kids, but there's little options when you want to give your child the ability to call in an emergency and text friends and not do absolutely everything else possible on a smart device.

      • Sometimes I think a lot of adults forget what it's like being a teenager. By that age, it's what you've taught them that's going to determine what they do, not trying to force control on a device. They'll just use a friends device, or buy a cheap prepaid you won't know about, the minute they want to do something you have blocked on their own phone. More often than not I'd bet in encourages such rebellion; teens aren't fans of being blocked by force for something.
        When I was in highschool there were filters
        • Yeah. On the one hand you have the sum total of our state-of-the-art security systems. On the other you have the raging hormones of a typical 14 year old. I know where I'm placing my bet in that fight...

          • And that was just to get around some dumb web filter. Our cell phones didn't have cameras when I was in highschool, but imagine if some girl in my class told me to snap her or something? Whatever app block was on that phone would be useless before the day ended, and the next day all the people asking the nerd how to do it would be informed too.
        • Wtf, I did not know you could enter an ip address as a long [3630769679] until now.

      • Well, that depends. What is the parent's goal?

        Is it to raise a teen to be a safe and responsible internet/smartphone/computer/technology-in-general user? Then they should be taught good information security habits as early as possible; starting with proper password discipline beginning with: "Never, but NEVER give your password to anyone under any circumstances."; continuing along to how important 2-factor and encryption are;, and including malware avoidance and removal. Seriously... we already entrust a

    • by sjames ( 1099 )

      Then feel sympathy for the teens. They weren't likely given much choice here.

  • by gweihir ( 88907 ) on Monday May 21, 2018 @06:22AM (#56645990)

    Of course, being those creeps, they may do exactly the best thing to prepare their children for living in the upcoming surveillance state and soon-to-follow full-blown fascism. The leakage of the accounts is obviously part of that pedagogic concept. Hence I conclude that this is an absolutely great app that anybody should inflict on their children as soon as possible! Of course, in any self-respecting fascism, children also do surveillance (and denunciation to the authorities) of their parents. A business opportunity for, aehm, "Parentsafe"?

    • Of course, being those creeps, they may do exactly the best thing to prepare their children for living in the upcoming surveillance state and soon-to-follow full-blown fascism. The leakage of the accounts is obviously part of that pedagogic concept. Hence I conclude that this is an absolutely great app that anybody should inflict on their children as soon as possible! Of course, in any self-respecting fascism, children also do surveillance (and denunciation to the authorities) of their parents. A business opportunity for, aehm, "Parentsafe"?

      To be fair here, there are a number of concepts to which a teenager's right to privacy comes in second place:

      1. Unless it's a prepaid phone, the parent is paying the bill - and, in the majority of cases, probably paid for the phone, too. If it's the parent's phone and the parent's service, being able to monitor what's going on isn't all that unreasonable. If a teen has purchased their own phone and their own service with their own money, sure, that's a bit different...but a parent monitoring the phone and s

  • Noun
            S: (n) safe (strongbox where valuables can be safely kept)
            S: (n) safe (a ventilated or refrigerated cupboard for securing provisions from pests)

    It's a collection of children, all in one convenient location. Nice work, TeenSafe. Great name, by the way. You had one job...

  • Slightly off-topic, I know, but: It's sad and wrong that there is even such a thing as this 'app', regardless of how 'secure' it is. What ever happened to teaching your children the value of trust via example, by trusting them, and them respecting the trust put in them? Now you have parents installing what amounts to an ankle monitor like someone under house arrest is required to wear. How sad is that?

I've noticed several design suggestions in your code.

Working...