Kid Security app exposed children’s locations, messages & more

0
20

[ad_1]

Kid Security, a popular parental control app with millions of downloads, has been found to leak sensitive information about children. The app, which is available on Android and iOS, exposed GPS locations, private messages, email addresses, IP addresses, and more. The data was accessible to anyone for over a year, security researchers at Cybernews discovered. The same team previously reported a data leak by Kid Security in November 2023.

Security researchers discover another data leak by Kid Security

Kid Security is a mobile app that parents can install on their children’s phones to track their locations, listen to their surroundings when away, limit screen times, control digital interactions, and more. Developed by a company headquartered in Kazakhstan, it works in tandem with another app called ‘Tigrow!’ to give parents full control over what their children do on their phones.

Unfortunately, poor security measures mean the app did more harm than good to its users. According to Cybernews, the developers of Kid Security “failed to configure authentication for their Kafka Broker Cluster.” This compromised sensitive data collected from minors’ phones. The leaked data included private messages from various chat apps, including Instagram, WhatsApp, Telegram, Viber, and Vkontakte.

The leak also exposed parents’ email addresses, IP addresses, lists of apps installed on phones and their usage statistics, audio recordings of minors’ environments, device locations, IMEI numbers, and other forms of data. The worst part is that anyone, including threat actors, could access the data. And not for a day or a week, but for a whole year, which is a massive security risk for parents and minors.

Information like email addresses, social media messages, IMEI numbers, and GPS locations are more than enough to pinpoint a user. Some leaked group chats had specific school names and class designations in the title, further enabling a threat actor to narrow down an individual. They could also use the Sound Around feature to listen to and record a kid’s surroundings without their knowledge.

The leak also impacted children who don’t use this app

This data leak also impacted children who don’t have Kid Security installed on their phones. Their messages sent to children with this app were exposed. This included group chats with the aforementioned specifics. The leak predominantly affected people in the Russian Federation, Eastern Europe, and the Middle East, though a substantial number of people from other regions also use the app.

Cybernews discovered this leak in February 2024. The cluster has been open since January 2023. Over this period, it had exposed over 100GB of information. The researchers observed the cluster for over one hour and received 456,000 private messages and app usage statistics from 11,000 phones. That’s a remarkably high volume of data compromised within an hour. Threat actors could use the information to launch more devastating attacks.

The publication reached out to the developers of Kid Security after discovering this leak. The company subsequently secured the cluster but damage was already done. Considering that the leak remained unpatched for over a year, the developers probably weren’t actively monitoring the cluster. A previous leak also exposed thousands of phone numbers, email addresses, and activity logs of the app’s users.

If you or someone you know uses Kid Security, it might be a safer option to uninstall it and switch to some other parental control app. You should also remain vigilant regarding the safety of your kid as the leak could have compromised your data.

[ad_2]

Source link