What is your teenager doing on his or her iPhone? Many parents looking for answers to this question have turned to services that promise the ability to monitor an iPhone. For example, TeenSafe offers a service called TeenSafe Monitor. For $15 a month, parents can access a web-based dashboard to review their child’s text messages (both SMS and iMessage, and even if the messages were deleted from the iPhone), messages sent through WhatsApp, incoming and outgoing calls, a full list of contacts on the iPhone, the history of websites visited on the iPhone, and the current and historical locations where the iPhone has been. How does it get access to all of this information? The iPhone has to be configured to backup to iCloud, two-factor authentication has to be turned off, and you have to give TeenSafe your teenager’s Apple ID username and password.
Those requirements may make you raise your eyebrows and bit, and for good reason. If you are going to give any third party a username and password, you have to trust them. Not only do you have to trust that they are going to use the information responsibly, but you also need to trust that they are going to safeguard this secret information.
Unfortunately, Zack Whittacker of ZDNet reported this weekend that TeenSafe wasn’t very careful in storing this information. TeenSafe stored a file which had all of those usernames and passwords and other information in a place on the Internet where anyone could access it. Even worse, the data was not encrypted and was instead stored in a plain text format. The reporter contacted some of the email addresses in the file that anyone could download, and confirmed that, sure enough, the leaked passwords were accurate. Ugh. As you would imagine, TeenSafe is now taking efforts to secure the data again and to inform its customers of the leak.
Did any bad actors get access to the usernames and passwords before the story was published on ZDNet? Perhaps we will never know.
The ZDNet story came just one day after an article by Jennifer Valentino-DeVries of the New York Times. She reported that while these services say that they are for parents to monitor their teens, they are heavily used by people to monitor their spouses, especially when infidelity is suspected. The report goes on to explain that some stalkers are using them to monitor their victims.
I’m reminded of an incident about four years ago, when a hacker was able to trick celebrities through a phishing attack into providing their Apple ID passwords. Once he had the username and password, the hacker was able to access their iCloud backups, find nude photographs, and then leak them to the Internet.
We live in a digital world in which many aspects of our privacy are often protected by little more than a username and password. Every time you give a password to someone else — your spouse, a co-worker, or a third party — you need to be sure that you can trust that they are going to protect your privacy just as much as you yourself would.