View all newsletters
Receive our newsletter – data, insights and analysis delivered to you

10,200 Records of Child Data Leaked Owing to TeenSafe Server Exposure

"Companies absolutely have to get better visibility and control of their cloud servers and solutions"

By Shrina Gohil

UK-based security researcher Robert Wiggins this week revealed that purportedly “secure” app, TeenSafe, based in Los Angeles, left two servers, hosted on AWS, unprotected and accessible by anyone without a password.

At least one server, which is used by the app for parents to monitor their teenagers’ phone activity, leaked information belonging to 10,200 children including unencrypted passwords, parent email addresses and device names before ZDNet, which initially reported the story, informed the company.

Richard Walters, Chief Security Strategist at web security services company CensorNet explained: “This vulnerability wasn’t created by a hacker, it was created by staff – organisations need to get a handle on the human element. Companies absolutely have to get a better visibility and control of their cloud servers and solutions, they need to know where there data is and who can access it as a bare minimum and there is no excuse for the personal data you hold not being encrypted.”

So what happened with TeenSafe’s servers?

The latest Amazon Web Services cloud misconfiguration vulnerability involves S3 buckets, storage files that contain sensitive data in Amazon Web Services. S3 buckets have been around for some time and organisations including Accenture, Verizon and even the US Government recently experienced the impacts of such misconfigurations.

The exposure of the Amazon cloud servers meant Robert Wiggins was able to see sensitive data in plaintext from TeenSafe’s S3 buckets, especially as TeenSafe appears to have disabled two-factor authentication to use the app effectively.

Cyber criminals could potentially take advantage of this by abusing the data now or in the future. Luckily, the S3 buckets did not uncover any pictures, messages or locations and TeenSafe has just escaped the upcoming GDPR date on 25 May 2018.

Content from our partners
Signs your accounting software is no longer fit for your growing business
Incumbent banks must transform at speed, or miss the benefits of open banking
Leverage cloud and expertise to optimise engagements from onboarding to conclusion

TeenSafe has been contacted for comment by Computer Business Review.

The company isn’t the first and no doubt won’t be the last to get caught out: a colossal 12TB of data – including confidential intellectual property, penetration test results and other sensitive files in the cloud  – can be pulled from exposed Amazon S3 buckets, rsync, SMB, FTP servers, misconfigured websites, and NAS drives, according to the “Too Much Information” report published by Digital Shadows last month.

The company found that 1.5 billion files were exposed across the internet’s most ubiquitous file sharing services. That includes 64 million files in the UK alone – the equivalent to one file for nearly everyone in the country.

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU