UPDATED 20:41 EDT / MAY 20 2018

CLOUD

Child tracking service TeenSafe exposes passwords on misconfigured AWS storage

A smartphone monitoring service designed to allow parents to track teenagers has been found to have exposed passwords, in plain text no less, on a publicly available Amazon Web Service’s S3 storage instance.

First reported by ZDNet, the data breach relates to a service provided by TeenSafe Inc., a seven-year-old Santa Monica, California-based company that promises to help parents protect their children.

The company’s only product, an app available for iOS and Android that tracks everything a child does and sends the data sent back to a cloud server for parents to view, is pitched as helping parents detect the hidden dangers lurking inside their child’s smartphone. “Whether your child uses an iPhone or Android device, TeenSafe can help you keep tabs on what they are doing, who they are talking to and where they are,” the product page notes.

The data on the AWS instance, or unit of storage, included parents’ email address associated with TeenSafe, as well as their corresponding child’s Apple ID email address; the child’s device name and unique identifier; and plaintext passwords for the child’s Apple ID.

For the kicker, the app, which the company claims is used by more than 1 million parents, requires that two-factor authentication be turned off. That means that if hackers did get their hands on the data, both gaining access to an account and stealing the data would be dead easy.

The report doesn’t say whether the data had been accessed a malicious actor and fortunately there were only 10,200 records found, a small portion of the claimed customer base of 1 million. The company said it has taken the data offline and said that it had “begun alerting customers that could potentially be impacted.”

It’s easy to say that this is just another AWS S3 misconfiguration, but the only good news is that after constant exposure last year of this type of problem, the message that it’s important to secure online cloud storage, particularly AWS instances, may be finally getting through.

That said, it’s only May 20 and the year still has a long way to go. Only this week, data relating to as many as 3.5 million Los Angeles County residents were found on an AWS S3 instance in nearly identical circumstances. According to Govtech.com, the data consisted of at least 396,000 contact emails and 33,000 Social Security numbers.

Others this year to have exposed data the same way include FedEx Corp., BJC Healthcare and Octoly.

Image: TeenSafe

 


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU