TeenSafe, the service that lets parents monitor their kid’s smartphone online activity, let 10,200 Apple ID user names and passwords leak. What’s worse, all the information was in plain text and the service requires two-factor authentication be disabled.
Two TeenSafe servers were apparently accessible to anyone who knew where to look. The servers hosted the parent’s email addresses, along with the children’s Apple ID email address and password in plain text.
The issue was discovered by security researcher Robert Wiggins, according to ZDNet. Both the servers, hosted on Amazon’s AWS, are now offline. TeenSafe says the parents associated with affected accounts are being notified.
TeenSafe claims its service is secure and encrypts data. In this case, however, that seems to be the exact opposite of what’s happening.
Requiring two-factor authentication be disabled to use the service also seems like a slap in the face for security since it removes the one thing that would’ve protected the logins—the requirement for a special code to continue the login process. Without two-factor authentication, anyone who got ahold of the database has unfettered access to all of the Apple ID accounts, including email, contacts, and documents stored in iCloud.
If you’re using TeenSafe to monitor your children’s iPhone or other smartphone activity, change their Apple ID password now to be safe. Considering the service requires two-factor authentication be disabled, maybe it’s time to look for another way to see what your children are doing online.
TeenSafe says it was “Build by parents for parents.” Maybe they should’ve looks for some parents who understood encryption and security.