If you’re the kind of parent who wants to spy on everything your kids do, you can force them to install an app like Teensafe, which only works if your kid doesn’t use two-factor authentication; you have to give it your kid’s device ID and password, so if that data leaks, it would allow anyone to break into your kid’s cloud and plunder all their private data.
Naturally, Teensafe stored thousands of parents and kids’ usernames and passwords, without encryption, on an insecure server.
The company took the server down after being notified of the security problem by UK security researcher Robert Wiggins.
Most territories do not require that parents obtain their children’s consent before spying on them with apps like this.
The database stores the parent’s email address associated with TeenSafe, as well as their corresponding child’s Apple ID email address. It also includes the child’s device name — which is often just their name — and their device’s unique identifier. The data contains the plaintext passwords for the child’s Apple ID. Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child’s account to access their personal content data.
Teen phone monitoring app leaked thousands of user passwords [Zack Whittaker/Zdnet]