Parents have been using a monitoring service called TeenSafe to ensure their kids are protected, but the app reportedly has some security issues of its own.
, two of the company’s servers, which are hosted on Amazon’s cloud service, were left unprotected without a password, meaning the accounts of thousands of parents and their children were left exposed.
TeenSafe allows parents to monitor their children’s texts, view website history, call logs, contacts, and third-party apps, including messages on WhatsApp and Kik, installed on an iPhone or Android device.
Prior to Tinder’s ban on users under 18 two years ago, TeenSafe even allowed parents to spy on their children’s activity on the dating app.
Discovered by security researcher Robert Wiggins, one server had 10,200 records on a database — albeit with some duplicates — which contained the primary emails used to signed up to a TeenSafe account, as well as the associated child’s Apple ID email address.
Also in the record was the device name, its unique identifier, and the plaintext passwords for the child’s Apple ID. TeenSafe requires two-factor authentication to be turned off in order to work, meaning there was enough on the database for the nefarious to break into accounts.
No content such as photos, messages, or location data belonging to parents or children were found on the server. The other server, only contained test data, and it’s unclear if there are other unprotected servers out there.
TeenSafe closed one of the servers to the public after being alerted of the vulnerability by ZDNet, and said it had “begun alerting customers that could potentially be impacted.”
Teen monitoring apps have been criticised for potentially undermining the trust between parents and children, and inhibiting the ability for kids to learn how to handle risks.
Despite the concern, TeenSafe boasts more than 1 million users in the U.S. The company has been contacted for further comment by Mashable.