TeenSafe, an app used by parents to monitor their children’s smartphone activity, leaked data from tens of thousands of accounts, UK-based security researcher Robert Wiggins found.
Wiggins, who is affiliated with the not-for-profit Open Bug Bounty platform, revealed TeenSafe servers hosted on Amazon’s cloud were unprotected and accessible by anyone without a password, ZDNet reported.
At least two of these servers leaked data, which impacted accounts of both parents and children. Both servers were pulled offline after TeenSafe was alerted.
In a statement to ZDNet, the US-headquartered company said: “We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted”.
The app’s website states it is a subscription service for parents of children aged between seven and 17 years-old, which provides smartphone monitoring capabilities for $14.95 a month.
Parents can access information including sent, received and deleted texts, and iMessages; call logs; device location; web browsing history; and messages sent via WhatsApp and Kik Messenger.
The app’s database stores the parents’ and child’s email addresses, along with the child’s Apple ID email address and passwords. Wiggins said these details were in plain text, meaning they were not encrypted.
The database also includes the name and unique identifier of childrens’ devices, but not photos, messages or location information.