TeenSafe app left thousands of email passwords unsecured
Servers storing the information were not protected and open to anyone
Tracker app TeenSafe did more that keep tabs on children and their location, its servers also potentially leaked information including text messages, Apple ID email addresses, and plain text passwords.
Two servers were pulled after ZDNet found they were unprotected, and contact TeenSafe. The company also said it was notifying anyone who may have been affected.
Getting a smartphone can be a rite of passage for many children — particularly for those who are starting middle and high school. With these expensive hand-held computers, children also take on the responsibility of caring for the device — which may also include a tracker so parents know where their child is at every moment.
Smartphones can already be tracked and found without the need of an outside app. For Apple devices, anyone who has the Apple ID and password associated with the account can locate a missing iPhone through the Find My iPhone service. Android phones use a similar method, with Find My Device. But apps like TeenSafe, Life360 and others add another layer on top of that, often showing where someone has been during their day, even allowing people to message each other through the app.
Tracking people through technology is fairly simple. For anyone on the internet, the sites they visit — particularly social media — are almost always tracked. People can track keys, and even their pets. Apps can easily track handheld gadgets, and car tracking devices allow companies to follow their employees on the road, even letting someone know how a vehicle is being driven.
TeenSafe app does more than track, however. It also lets parents read text messages — even those that are deleted — check on social media use, see calls that have come in and made, as well as keeps tabs on where a device is at any moment. The app bills itself as layer needed to keep children safe from outside predators and potential cyberbullying.
The company also says on its web site that any data pulled from a phone where its app is installed is encrypted, and only seen by the person tracking the phone. Yet that appears not be true on at least two of the servers found.