Thousands of accounts for TeenSafe, which is a mobile app that parents can use to monitor what their kids are doing online, have been exposed in the latest Amazon Web Services cloud misconfiguration.
According to a report from ZDNet, which verified the data breach, there were at least two servers left open to the internet without a password, with information easily available in plaintext.
The leaky servers were discovered by security researcher Robert Wiggins, who told ZDNet that the information trove contained parental email addresses, Apple ID information including emails and passwords, the name of the teen’s device and the phone’s unique identifier. Fortunately, no location information, nor photos or message content was made public, but the info that was on offer is certainly enough to mount a phishing expedition or log into an account and hijack it.
“This breach is a perfect example of all information security and security development best practices being violated or not implemented whatsoever,” Rishi Bhargava, co-founder at Demisto, told Threatpost. “Clear-text passwords are evil and there is no reason to store any password in [a] database without encryption. There are so many open source libraries to do basic encryption that encrypting passwords is not additional work at all.”
Analysis of the bucket found that there were about 10,200 of the aforementioned records found in the main server, some of them duplicates; the other contained only test data by all appearances. TeenSafe has since removed the public access for both, and the company said that it’s in the process of notifying those affected. It didn’t say whether the information had been accessed by bad actors.
The app is a privacy and security researcher’s nightmare in many ways. On the former front, it allows parents to spy on their children in very invasive ways. These include being able to read all text messages, including those that were deleted, along with messages sent by third-party services, such as WhatsApp. It also records call logs, both outgoing and incoming; allows location-tracking and location history review; and gives parents a window into browsing history and bookmarks. The service allow allows parents to block access to certain apps and shut down the device entirely. All of this can be done without the teen’s consent.
Meanwhile, the service actually requires the disabling of two-factor authentication in order to use it. And no hashes or other precautionary measures were found among the data, even though the company claims on its homepage that it encrypts its data: “industry-leading SSL and vormetric data encryption to secure your child’s data,” it says, adding, “child’s data is encrypted – and remains encrypted – until delivered to you, the parent.”
“It is absolutely shocking that a company that promotes security and protecting your most valuable assets, your children, have completely left sensitive data unsecured and available to cybercriminals who will abuse it,” Joseph Carson, chief security scientist at Thycotic, told Threatpost via email. “The ironic thing is that they require two-factor authentication to be turned off (yes turned OFF), and that they store passwords in clear text. It’s surprising that companies still do such irresponsible actions against cybersecurity best practices.”
He added that with only four days until the EU’s GDPR privacy regulation is enforced, TeenSafe appears to have been lucky with the timing of this incident.
“I’m sure it might not be the last we hear about how this impacts EU citizens’ data, which should make May 26th an interesting day related to this particular data breach,” he said.
The misconfiguration of cloud storage buckets resulting in data exposure of sensitive information has been an ongoing problem for companies and organizations of all sizes, even at the US Department of Defense. Billions of records have been inadvertently exposed to the public internet in the past few quarters.
“This is yet another example of organizations, in this case one developing monitoring applications, deploying in the cloud without understanding the security implications,” said Mukul Kumar, CISO and vice president of cyber practice at Cavirin, via email. “Under the shared responsibility model, TeenSafe has the responsibility to protect the data, but their IT team obviously didn’t uphold their part of the shared-responsibility bargain. The cloud providers probably need to do more, and in fact they are moving in this direction, to protect the cloud assets of organizations with little or no expertise. When spinning up on EC2 instance and S3 storage buckets is almost as easy as learning how to ride a bike, the providers need to implement process checks that take into account little or no cloud knowledge. Parents deploying these types of applications also need to better understand the nuances of these applications, but we know that won’t happen.”