What can underage users expect if their lives have become visible all over the Internet?
As a result of flaws in the developers of the KidSecurity parental control app, sensitive information about children, including their geolocation and private messages, was leaked.
The problem was identified by the Cybernews research team in February. It turned out that for more than a year, data collected from minors devices was available to all users due to an incorrectly configured Kafka Broker Cluster authentication system. Data analysis showed that the leak affected users around the world, including in Eastern Europe and the Middle East.
With more than 1 million downloads on Google Play, the KidSecurity app offers parents the ability to track their children's location, monitor their digital interactions, and listen to their child's environment to ensure their safety.
Among the leaked information were:
In 2023, the app already made data security errors. In November, more than 300 million records with users personal data were leaked due to incorrect system authentication settings.
The leak was caused by an open Kafka Broker cluster. As a result, information came in like a data stream, which allowed attackers to accumulate huge amounts of personal information over a long period of time. When Cybernews discovered an open Kafka cluster belonging to the KidSecurity app, its cache already contained more than 100 GB of information. During an hour of observation, researchers received 456,000 personal messages sent via social media apps on minors phones, as well as app usage statistics from 11,000 phones. The amount of data collected over such a limited period of time is extremely large. Access to the cluster was blocked only after Cybernews contacted the company.
Data saved by hackers
The lack of protection has not only put the privacy of children's data at risk, but also enabled cybercriminals to manipulate the information received, potentially threatening their security.
As a result of flaws in the developers of the KidSecurity parental control app, sensitive information about children, including their geolocation and private messages, was leaked.
The problem was identified by the Cybernews research team in February. It turned out that for more than a year, data collected from minors devices was available to all users due to an incorrectly configured Kafka Broker Cluster authentication system. Data analysis showed that the leak affected users around the world, including in Eastern Europe and the Middle East.
With more than 1 million downloads on Google Play, the KidSecurity app offers parents the ability to track their children's location, monitor their digital interactions, and listen to their child's environment to ensure their safety.
Among the leaked information were:
- messages in social networks, including Instagram*, WhatsApp, Telegram, Viber and VK;
- email addresses of parents;
- IP addresses;
- App Store information: country, profile country, transaction currencies, subscription start and end dates;
- lists of installed apps and their usage statistics;
- rewards given to children for completing various tasks, such as doing housework or participating in sports competitions;
- audio recordings of the environment of minors;
- IMEI numbers;
- device location;
- smartphone battery level;
- other periodically sent metadata;
In 2023, the app already made data security errors. In November, more than 300 million records with users personal data were leaked due to incorrect system authentication settings.
The leak was caused by an open Kafka Broker cluster. As a result, information came in like a data stream, which allowed attackers to accumulate huge amounts of personal information over a long period of time. When Cybernews discovered an open Kafka cluster belonging to the KidSecurity app, its cache already contained more than 100 GB of information. During an hour of observation, researchers received 456,000 personal messages sent via social media apps on minors phones, as well as app usage statistics from 11,000 phones. The amount of data collected over such a limited period of time is extremely large. Access to the cluster was blocked only after Cybernews contacted the company.
Data saved by hackers
The lack of protection has not only put the privacy of children's data at risk, but also enabled cybercriminals to manipulate the information received, potentially threatening their security.
