News broke this week that the TeenSafe app allowing parents access to their children’s web browser history, text messages (including deleted SMS and iMessages and messages on WhatsApp and Kik), and more was compromised. Although around 10,200 accounts from the past three months were compromised, the data did not include photos, messages, or location data. However, the TeenSafe app does require two-factor authentication to be switched off for the app to work, so anyone with just a password can easily gain access to compromised accounts. IT security experts commented below.
Katie Carty Tierney, Sr. Director, Sales Engineering at WhiteHat Security:
“Data security is the first line of defense for our digital lives, but it’s often the last thing on the minds of parents trying to protect their children. Let’s face it, when you’re trying to protect your children, you’re not thinking about building a non-hackable password and using two-factor authentication – you’re thinking only of your children and their safety. That’s why parents were willing to turn off these additional protections, to track their kids’ mobile devices with the TeenSafe App. Unfortunately, in doing so, they have been opened up to danger. The information leaked from this app, which included Apple account user names and unencrypted passwords, could allow scammers, hackers, and potential abusers to access iCloud accounts and get access to photos, locations of the kids, daily schedules, and more.
Anyone with a digital identity needs to be aware and encouraged to implement a high threshold for access to their accounts, starting with strong passwords and two-factor authentication. If you’re ever asked to turn off an important security feature like two-factor authentication, even by an app that claims to be protecting your kids, you need to stop and educate yourself on the potential pitfalls. As we see with TeenSafe, protecting your kids isn’t as simple as installing an app on their phone – it requires awareness, education, and a whole lot of love.”
Mike Schuricht, VP Product Management at Bitglass:
“Identifying specific attack vectors like misconfigured databases is now a simple act for nefarious individuals. Where data is publicly accessible because of accidental upload or misconfiguration to a database, outsiders don’t need a password or the ability to crack complex encryption to get at sensitive information. This misconfiguration could have been avoided with basic security best practices such as limiting access from outside the corporate network, encrypting highly sensitive data, and training employees on security risks. Ultimately, it should be a no-brainer to implement data-centric security tools on any sensitive information that could get out to the public.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.