KidSecurity, a popular parental control app, has leaked sensitive information about children for the second time, this time exposing GPS locations and private messages on minors’ devices.
On February 7th, 2024, the Cybernews research team discovered that the app’s developers failed to configure authentication for their Kafka Broker Cluster, which leaked a large amount of sensitive data collected from minors’ phones. The data was accessible to anyone, including malicious actors, for more than a year.
With more than a million downloads on Google Play, KidSecurity provides parents with services to track their children's location, control digital interactions, and listen to the sounds around the child to ensure safety. The app works in tandem with another app called ‘Tigrow!’ which has over half a million downloads. Both apps are developed by the same company headquartered in Kazakhstan.
The leaked data included:
- Minors' social media messages, including Instagram, WhatsApp, Telegram, Viber, and Vkontakte
- Parents' email addresses
- IP addresses
- App Store information: country, profile country, currencies used for transactions, subscription start and expiration dates
- Lists of apps installed on phones and their usage statistics
- Rewards granted to kids for completing tasks such as doing chores or participating in sports
- Audio recordings of minors' environment
- IMEI numbers
- Device locations
- Device battery levels
- Other periodically sent metadata
This is the second time the app has failed to secure access to its systems. Last year, the team found that the app mishandled authentication to its systems and leaked over 300 million records with private user data, including 21,000 telephone numbers, 31,000 email addresses, and partial payment information. The leaked data was likely accessed by threat actors.
Cybernews has contacted the company, but a response has yet to be received.
Highly sensitive children's data leaked
While using tracking apps on your relatives is controversial by itself, this kind of cybersecurity neglect is further deepening the issue. Instead of protecting minors, it exposed their private data to anyone on the internet, putting them at an even greater risk.
Some of the data was anonymized and couldn't be directly associated with a specific child. However, exposed parents’ emails, records of received social media messages, and IMEI (International Mobile Equipment Identity) numbers identifying devices and their locations could serve as a means to pinpoint minors.
Some of the leaked group chats were titled with specific school names and class designations, further narrowing down the potential identification of individuals involved.
The app has a “Sound Around” feature, which allows parents to listen to the minors' surroundings. The lack of authentication on the app’s systems enabled anyone to listen to those recordings together with the minors’ parents, raising huge privacy concerns as neither the kids nor their peers may know their conversations could be recorded at any given time.
Malicious actors could use the huge amounts of private data to determine the behavioral trends of minors to exploit and manipulate them. Access to the live location of minors and information about battery levels on their devices could potentially cause even bigger threats and harm, such as abduction.
According to the data analyzed by the researchers, those impacted by the leak are from various regions globally, predominantly in the Russian Federation, Eastern Europe, and the Middle East.
The leak also impacted children who didn't have the parental control app installed on their devices, as messages, including DMs and group chats, sent to kids with the app were exposed.
Feed of sensitive information available to anyone
The leak occurred due to an open Kafka Broker Cluster. Kafka is an open-source platform designed to facilitate real-time data transmission between systems. As a result, maintaining a connection to a Kafka Broker or Cluster can lead to continuously receiving large volumes of data. Consequently, the data leak resembled a flowing stream of information, allowing threat actors to accumulate significant amounts of private data over time.
When Cybernews found the open Kafka Cluster belonging to Kids Security app, it had already stored over 100GB of information in its cache. Over one hour of observation, researchers received 456,000 private messages sent through social media apps on minors' phones and application usage statistics from 11,000 phones. The volume of data collected within the limited time frame is remarkably high.
The connection to the cluster was not terminated during an hour of observation. The access to the cluster was secured only after Cybernews contacted the company. This suggests that the Kafka Brokers involved were likely not actively monitored by the developers.
As a result, any rogue collector would probably go unnoticed for an extended period. This assumption is further supported by the fact that the Broker remained open for over a year. The open cluster was first indexed by an IoT search engine in January 2023.
Additionally, attackers might have the ability to configure a "producer" within the Kafka Cluster. However, the researchers did not test this to adhere to white-hat standards of ethical and lawful investigation techniques.
A “producer” could allow malicious actors to send manipulated data through the broker to legitimate collectors – minors’ parents. For example, malicious actors could potentially insert false information in minors’ messages, locations, battery levels, or application lists to cause further damage.
Your email address will not be published. Required fields are markedmarked