Thousands of Apple ID Passwords Leaked by Teen Phone Monitoring App Server

[Analog Kid]

Nothing says "your teens are safe with us" like keeping a million passwords in a big, plaintext archive. Turns out to be about as safe as stenciling "TeenSafe" on a windowless van...

I know everyone loves to criticize other people's parenting skills, but I'm amazed how much of this conversation is around what kinds of parents would use a tool like this, and not around the fact that this company is specifically gathering information on children and not even taking the most basic steps to protect that information.

 

[fairuz]

the app's requirement that two-factor authentication is turned off

This is incredibly stupid and dangerous, to put it lightly. And how is this allowed on the App Store?
[doublepost=1526956254][/doublepost]

Jesus H, this product is abominable. True helicopter parent dystopian BS. Just let kids be kids!

Parent here. I'm all for monitoring and protecting them, but putting a spy app on their phone? You might as well tell them, "Hey kid, I've never trusted you and I never will. Do whatever you want, just make sure you don't use your phone to do it." If you need to spy on their phone, don't give them one.

Who says the parents are forcing it? When I was in high school, I gave my parents the ability to track me in iMessage. They didn't even ask. They like to make sure I'm ok, and I was tired of having to respond to messages asking where I was / whether I got somewhere safely. I trusted them not to abuse it.

I'd say it's overkill to get a full history, but often times an iPhone can't respond to location requests for whatever reason and doesn't update the last known location frequently enough sometimes. IDK if they've fixed that now.
[doublepost=1526956433][/doublepost]

This is a good example of why you should never believe you have “total” security or privacy on any operating system or platform.

It's more like a good example of why you should never give your iCloud credentials to anyone besides Apple (likewise for other companies). And I have no idea how this got onto the App Store.
[doublepost=1526956535][/doublepost]

Nothing says "your teens are safe with us" like keeping a million passwords in a big, plaintext archive. Turns out to be about as safe as stenciling "TeenSafe" on a windowless van...

I know everyone loves to criticize other people's parenting skills, but I'm amazed how much of this conversation is around what kinds of parents would use a tool like this, and not around the fact that this company is specifically gathering information on children and not even taking the most basic steps to protect that information.

I think they need the plaintext passwords to log into the account since there's no API or even an auth token system available. If that's the case, this app shouldn't exist at all. It's inherently insecure that way, nothing they can do to improve it.
[doublepost=1526956932][/doublepost]

Any app that wants your password to another account is to be avoided at all cost. Especially financial aggregators like Mint.com.

It's the worst with financial stuff. Even big things like Coinbase and Venmo take bank account usernames and passwords since there's no better way. Man, we need to update our banking tech beyond the 1970s.

 

[ignatius345]

Compounding the lax security is the app's requirement that two-factor authentication is turned off for the child's Apple account so that parents can monitor the phone without consent

Madness that Apple allowed an app to ask this in the first place.

 

[canadianreader]

Should be renamed to TeenUnSafe

 

[Santabean2000]

Pretty black and white to be. They were tracking kids information and keeping the tracked information in a publicly accessible database. The entire server was open to anyone, no login required and it contained names, passwords, email and all the data that was being sent to parents.

You missed who I was replying to.

I was talking about the use of these types of apps for parent use. Not the useless of the company in this instance.

I agree 100% the company effed up.

 

[omihek]

Then what in your view is the right age to get a boyfriend/girlfriend? 35? 50? 90?
You are not a parent then. Were you celibate at 16? I bet not! Where you single then? I bet not.
Also having a boyfriend/girlfriend does not mean having sex. I had a girlfriend at 16 but we did not have sex.

The right age to get a boyfriend/girlfriend is when you are ready to get married and start a family. I know that idea is so totally out there as to be completely alien to most people these days, but not too long ago it was normal practice.

And yes, I am a parent. Yes, I was single and celibate at 16.
[doublepost=1526968274][/doublepost]

No it is not. if you were a parent you would know better. I have an uncle who was an amazing dad to his son. H eyelid everything to help him and yet there was no helping him. My cousin was and is a piece of ****.
He has done so much wrong in his life I would be here all day explaining what.
yet my uncle did all he could. He talked to his son, he spent money coming up with ways to help keep him out of the courts. he did not matter if he got tough, was nice, punished him. His son did as he wanted to no matter what.
Kids can and do have a mind of their own. As parents all we can do is advise and try out best to show our kids the right way to grown up and be there for them when they make mistakes.Hopefully learning along the way.

Yes, it is. I feel for those who have children like your cousin, I really do, but who raised that kid from when he was a baby? Was he a "piece of ****" the day he was born? No, he became that way and no one did enough to stop it.

 

[fairuz]

Passwords are never stored on a database, this company should of never of stored them but they did and they even stored them as plain text, ASCII what was this company thinking of.

I'm assuming they needed the actual passwords to log into the iCloud accounts. A hash of the password wouldn't do them any good in that case. This kind of secret sharing is of course bad practice, but getting past that, they should have kept it encrypted and... oh geez, they didn't even have a password on the database.

unprotected and accessible without a password

Whoever's running this company should never do anything ever again. I wouldn't be surprised if this were some illegal organization.

 

[Threbus]

What kind of parents spies on their children text messages? That’s just wrong on so many levels ... boundaries people. if you don’t trust them enough to use their own phone privately. Maybe look yourself in the mirror and question what you did wrong rasing them.

You either have a lot of trust in your kids and believe that they would never be conned by an internet predator, or sext their friends, or bully or be bullied by someone. It's a different world than when we grew up, and all kids are naive in some way. They will do stupid things or get pulled into something they cannot control.

Better to be proactive and either inspect the phones, or monitor them remotely, then have them send naked pictures or be convinced that some 50-year-old is actually 18 and run off with them and disappear. It's happened, and to kids that you would never think it would happen to.

 

[Piggie]

I don't know how long many of you here have been on the Internet.
I joined the internet very early on in the UK, after I used to use ViewDate / PRESTEL before and some bulletin boards with the old dial up 300 baud modems.

I'd never heard of this new Internet, but joined up and was amazed.
This was way before "normal" people used it, and any "normal shops" had their own web sites to think about selling or advertising stuff.

It was like this way for a while, then the main media got interested in the Internet.
And children on the Internet was mentioned.

I recall at the time thinking to myself.
WHAT....... Are you crazy.
The Internet is for Adults, it has lots of adult stuff on it. It's not regulated to make it kid friendly.
No, Children should not be allowed on it.
If anything, Make, like another "Sub Internet" for the kids and to be policed, but the real internet, leave that for adults.

Did it happen that way? Nope of course not. And then people started to complain it was not safe for kids.
Well, Duh!!!

 

[Tech198]

Although good at first to 'an app to help monitor activities' it keeps bring home the same message no matter what sort of app that is willing to provide usefulness to share AppleID's on..

Just one more entry vector left open. I'm surprised it was on AWS

 

[Santabean2000]

And yes, I am a parent. Yes, I was single and celibate at 16.
[doublepost=1526968274][/doublepost]
Yes, it is. I feel for those who have children like your cousin, I really do, but who raised that kid from when he was a baby? Was he a "piece of ****" the day he was born? No, he became that way and no one did enough to stop it.

kids are more than just the sum of these parents. They go to school. Meet other people. Make their own choices. And get things wrong.

Only takes connecting with the wrong crowd for shiz to go awol.

And yes. There are some turds out of the oven.

 

[PinkyMacGodess]

I somehow see them disappearing in a puff of acrid smelling smoke. Get your lawyers ready to pick over their bones.

But how damn bone headed do you have to be. It seems impossible to keep any data away from idiot programmers who splash it all over the place. The 'breaches' are so numerous now that they rarely illicit more than a 'There was another breach' announcement with no fanfare by the talking drones on the box.

A group of politicians wanted stiff and meaningful penalties for 'breaches', but the effort was killed. There is no accountability, and LifeLock laughs its way to the bank.
[doublepost=1526987136][/doublepost]

Only if the kids do not respect the parents etc.My kids respect me and I respect them. Plus I know all the tricks and loopholes..nothing they can do i can't stop or know about.

Respect is not taught in this 'New Age'. They are being bombarded with the idea that government and minorities aren't to be trusted. Sowing the seeds of a very dark future. Education isn't what it used to be. The thought that some textbooks portray slavery as being 'good for the slaves' is heinous and despicable for an example. America is headed for third world status.
[doublepost=1526987355][/doublepost]

No it is not. if you were a parent you would know better. I have an uncle who was an amazing dad to his son. H eyelid everything to help him and yet there was no helping him. My cousin was and is a piece of ****.
He has done so much wrong in his life I would be here all day explaining what.
yet my uncle did all he could. He talked to his son, he spent money coming up with ways to help keep him out of the courts. he did not matter if he got tough, was nice, punished him. His son did as he wanted to no matter what.
Kids can and do have a mind of their own. As parents all we can do is advise and try out best to show our kids the right way to grown up and be there for them when they make mistakes.Hopefully learning along the way.

Omihek is probably a Mormon. You can't deal with their 'holier than thou' egotism. Being raised in a religion with solid concrete walls to oppress children and control their parents sure does solve a lot of things, doesn't it...

 

[PaulSorensen]

Karma is a bitch

 

[dk001]

Parent here. I'm all for monitoring and protecting them, but putting a spy app on their phone? You might as well tell them, "Hey kid, I've never trusted you and I never will. Do whatever you want, just make sure you don't use your phone to do it." If you need to spy on their phone, don't give them one.

As a parent and a grand-parent, your comment is short sighted at best. Spy is a harsh word. Monitor.
I have always had the ability to monitor my kids online presence. When they wanted a smartphone/tablet/computer that was part of the bargain. Doesn't mean I did it unless the situation warranted it. Personally, it was rare. I have taught and shown my children how to do the same with their kids.

Society has been harping on parents to do just that; monitor. Know what your kids are doing and posting. Who are they associating with. Are they into something they should not be. This looks like it would be a solution for many parents and I suspect that is why they bought into it. It was a solution. Technologically a good solution or not. Many of us who are more enabled would likely choose other options.

In this case, the security provided by owning company is at fault and they should be held accountable.

JMPO YOMV

 

[Analog Kid]

I think they need the plaintext passwords to log into the account since there's no API or even an auth token system available. If that's the case, this app shouldn't exist at all. It's inherently insecure that way, nothing they can do to improve it.

If I read the article correctly, this is two whole levels of stupid beyond that. It’s not just that the password needed to be exposed to TeenSafe, but TeenSafe then stored that password in plaintext and did that on a public server.

 

[warp9]

Incompetence and negligence.

Good luck getting any form of compensation or refund.

https://www.teensafe.com/helps/terms/

Their terms do not supersede COPPA. You can't include illegal activities in a contract.

 

[expiredyogurt]

Just saying.

literally this, this is some scary **** and too much power to give to a human being. so many were criticizing the government for doing this to them but they themselves are doing it to their kids just because they live in their home.

this is also literally spyware since it can see all sorts of data including 3rd party apps. if this kind of service exist, then what is to say that the government can't do the same to anyone right now? end to end encryption is literally useless now that there are MITM attack and this spyware and not to mention the decryption key is held by the companies and they can use it whenever they want without you knowing it

 

[MacBH928]

As someone who has been online for over 20+ years I can tell you that I would feel best if any one younger than 21-22 would not access the internet without being monitored. There are seriously things you don't want your children to see or get exposed to.

Anyone who went through the teenage years know how easy it is to slip up and destroy your life in that young age, just by hanging with the wrong people. Now that everything is easily recorded via picture and video and shared its a lot worse. Many people did things in their teenage years that they regretted it big time later on, and if there was better guidance they might have not walked through that slippery road.

That being said, turning into Big Brother is not the solution. It remains a parenting problem.

 

[fairuz]

If I read the article correctly, this is two whole levels of stupid beyond that. It’s not just that the password needed to be exposed to TeenSafe, but TeenSafe then stored that password in plaintext and did that on a public server.

Yes, I missed that part at first. They broke every rule in the book.

 

[oyabroch!]

How does a THIRD PARTY APP get Apple ID credentials? I thought they'd be hashed, or whatYaKallit...

 

[Tech198]

How does a THIRD PARTY APP get Apple ID credentials? I thought they'd be hashed, or whatYaKallit...

If its anything like Zoiper app if u wanna puchase VoIP premium features it uses your Apple ID for purchase, no manual entry required if you are already signed into the App Store, so its probably some handing off locally..

With the exception with this issue, it was sent also to this third party server.

Apple ID paswords would be hashed.. not the email itself.... ther'd be no reason to hash that.

 

[oyabroch!]

As I read these comments, it's easy to tell who are parent's and who are not.

To those who are not, you really have no basis to be criticizing a parent for monitoring their child's activities. As long as I am responsible for my children, I will do what I can to monitor and protect them even if that means they give up a little privacy.

"parent's" is possessive... maybe auto-correct did that...

 

[oyabroch!]

If its anything like Zoiper app if u wanna puchase VoIP premium features it uses your Apple ID for purchase, no manual entry required if you are already signed into the App Store, so its probably some handing off locally..

With the exception with this issue, it was sent also to this third party server.

Apple ID paswords would be hashed.. not the email itself.... ther'd be no reason to hash that.

Well, I think a REAL hash has been made of this!

 

[giggles]

I’m calling to the few souls trying to follow the technical aspect of this amid all the parenting stuff:

1) this was NEVER in the Apple Appstore, right? it was just a web site interface, right?

2) why doesn’t apple cease&desist the hell out of any reasonably big (1M users) service that BY DESIGN asks customers for plain text iCloud passwords? I’m not even talking about the irresponsible storing practices, just the fact that they asked iCloud passowrds in plain text during initial setup.

3) wouldn’t the kids receive a bunch of alert emails about their iCloud being accessed from unusual IPs of this company servers? again, why wouldn’t apple ban those IPs, if apple’s documentation strongly discourages you from communicating your iCloud password to any third party?

 

[Nuvi]

Are you were sure it was Apple making that request?

Yep, without a doubt. My devices were logged out and I according to system prompt I had to set a new password. Anyway, I’m in a Apple closed beta so that might be another reason. Apple has been doing the same for Devs. However, the timing is just interesting.