About

  • iPhone J.D. is the oldest and largest website for lawyers using iPhones and iPads. iPhone J.D. is published by Jeff Richardson, an attorney in New Orleans, Louisiana. This site does not provide legal advice, and any opinions expressed on this site are solely those of the author and do not reflect the views of Jeff's law firm, Adams and Reese LLP. iPhone J.D. is not associated with Apple, Inc.

Contact Me

FTC Notice

  • Pursuant to 16 CFR Part 255, the Federal Trade Commission's Guides Concerning the Use of Endorsements and Testimonials in Advertising, please note: (1) iPhone software and hardware developers routinely send me free versions of their products to review. I sometimes keep and continue to use these products that I did not pay for after posting my review, which might be considered a form of compensation for my review, but I do not believe that I let that color my review. (2) When I post links to product pages on certain stores, including but not limited to Amazon and the iTunes App Store, my links include a referral code so that when products are purchased after clicking on the link, I often receive a very small percentage of the sale. As an Amazon Associate I earn from qualifying purchases. Again, I do not believe that I let that color my review of products. (3) Some of the ads that run on this website are selected by others such as Amazon or Google. If one of these ads comes from the seller of a product reviewed on iPhone J.D., that is a coincidence and I do not believe that it colors my review of that product. Other ads are from paid advertisers, and if I discuss a product from a company that is a current advertiser, I will note that. (4) Some of the ads that run on this website are from monthly sponsors of iPhone J.D. When I discuss products from these companies on iPhone J.D., I do so to pass along information provided to me by the sponsor. Often, I will also provide my own commentary on the product, and while my goal is to be honest, please keep in mind that I was compensated to promote the product. If you have any questions about this, just send me an e-mail or post a comment on a specific product review.

« In the news | Main | In the news »

May 22, 2018

TeenSafe leaks Apple ID usernames and passwords

IPhoneXLockWhat is your teenager doing on his or her iPhone?  Many parents looking for answers to this question have turned to services that promise the ability to monitor an iPhone.  For example, TeenSafe offers a service called TeenSafe Monitor.  For $15 a month, parents can access a web-based dashboard to review their child's text messages (both SMS and iMessage, and even if the messages were deleted from the iPhone), messages sent through WhatsApp, incoming and outgoing calls, a full list of contacts on the iPhone, the history of websites visited on the iPhone, and the current and historical locations where the iPhone has been.  How does it get access to all of this information?  The iPhone has to be configured to backup to iCloud, two-factor authentication has to be turned off, and you have to give TeenSafe your teenager's Apple ID username and password. 

Those requirements may make you raise your eyebrows and bit, and for good reason.  If you are going to give any third party a username and password, you have to trust them.  Not only do you have to trust that they are going to use the information responsibly, but you also need to trust that they are going to safeguard this secret information.

Unfortunately, Zack Whittacker of ZDNet reported this weekend that TeenSafe wasn't very careful in storing this information.  TeenSafe stored a file which had all of those usernames and passwords and other information in a place on the Internet where anyone could access it.  Even worse, the data was not encrypted and was instead stored in a plain text format.  The reporter contacted some of the email addresses in the file that anyone could download, and confirmed that, sure enough, the leaked passwords were accurate.  Ugh.  As you would imagine, TeenSafe is now taking efforts to secure the data again and to inform its customers of the leak.

Did any bad actors get access to the usernames and passwords before the story was published on ZDNet?  Perhaps we will never know.

The ZDNet story came just one day after an article by Jennifer Valentino-DeVries of the New York Times.  She reported that while these services say that they are for parents to monitor their teens, they are heavily used by people to monitor their spouses, especially when infidelity is suspected.  The report goes on to explain that some stalkers are using them to monitor their victims. 

I'm reminded of an incident about four years ago, when a hacker was able to trick celebrities through a phishing attack into providing their Apple ID passwords.  Once he had the username and password, the hacker was able to access their iCloud backups, find nude photographs, and then leak them to the Internet. 

We live in a digital world in which many aspects of our privacy are often protected by little more than a username and password.  Every time you give a password to someone else — your spouse, a co-worker, or a third party — you need to be sure that you can trust that they are going to protect your privacy just as much as you yourself would.

Comments

Subscribe

  • Get iPhone J.D. delivered to you via email.
    Name:*
    Your email address:*
    Consent*
    Yes, I consent to being emailed
    No, I do not want to be emailed
    Please enter all required fields Click to hide
    Correct invalid entries Click to hide
    No spam, ever. Promise. Powered by FeedBlitz

Awards

  • ABA Journal named iPhone J.D. the best Legal Technology blog in 2010, 2011 and 2013, and added iPhone J.D. to its Hall of Fame in 2014:

    The Expert Institute named iPhone J.D. the Top Legal Tech Blog in 2017:

Recent Posts