UK-based security researcher Robert Wiggins this week revealed that purportedly “secure” app, TeenSafe, based in Los Angeles, left two servers, hosted on AWS, unprotected and accessible by anyone without a password.
At least one server, which is used by the app for parents to monitor their teenagers’ phone activity, leaked information belonging to 10,200 children including unencrypted passwords, parent email addresses and device names before ZDNet, which initially reported the story, informed the company.
Richard Walters, Chief Security Strategist at web security services company CensorNet explained: “This vulnerability wasn’t created by a hacker, it was created by staff – organisations need to get a handle on the human element. Companies absolutely have to get a better visibility and control of their cloud servers and solutions, they need to know where there data is and who can access it as a bare minimum and there is no excuse for the personal data you hold not being encrypted.”
So what happened with TeenSafe’s servers?
The latest Amazon Web Services cloud misconfiguration vulnerability involves S3 buckets, storage files that contain sensitive data in Amazon Web Services. S3 buckets have been around for some time and organisations including Accenture, Verizon and even the US Government recently experienced the impacts of such misconfigurations.
The exposure of the Amazon cloud servers meant Robert Wiggins was able to see sensitive data in plaintext from TeenSafe’s S3 buckets, especially as TeenSafe appears to have disabled two-factor authentication to use the app effectively.
Cyber criminals could potentially take advantage of this by abusing the data now or in the future. Luckily, the S3 buckets did not uncover any pictures, messages or locations and TeenSafe has just escaped the upcoming GDPR date on 25 May 2018.
TeenSafe has been contacted for comment by Computer Business Review.
The company isn’t the first and no doubt won’t be the last to get caught out: a colossal 12TB of data – including confidential intellectual property, penetration test results and other sensitive files in the cloud – can be pulled from exposed Amazon S3 buckets, rsync, SMB, FTP servers, misconfigured websites, and NAS drives, according to the “Too Much Information” report published by Digital Shadows last month.
The company found that 1.5 billion files were exposed across the internet’s most ubiquitous file sharing services. That includes 64 million files in the UK alone – the equivalent to one file for nearly everyone in the country.