Kid Security, a popular parental control app with millions of downloads, has been found to reveal sensitive information about children. The app, which is available on Android and iOS, revealed GPS locations, private messages, email addresses, IP addresses and more. The data was available to anyone for more than a year, Cybernews security researchers found. The same team previously reported a data leak by Kid Security in November 2023.
Security researchers uncover yet another data leak by Kid Security
Kid Security is a mobile app that parents can install on their kids’ phones to track their location, listen to their surroundings when they’re away, limit screen time, control digital interactions and more. It was developed by a company based in Kazakhstan, and works in tandem with another app called ‘Tigrow!’ give parents complete control over what their children do on their phones.
Unfortunately, poor security measures mean that the app has done more harm than good to its users. According to Cybernews, Kid Security’s developers “failed to configure authentication for their Kafka Broker Cluster.” This jeopardizes sensitive data collected from the phone of minors. The leaked data included private messages from various chat apps, including Instagram, WhatsApp, Telegram, Viber and Vkontakte.
The leak also exposed parents’ email addresses, IP addresses, lists of apps installed on phones and their usage statistics, audio recordings of minors’ environments, device locations, IMEI numbers and other forms of data. The worst part is that anyone, including threat actors, can access the data. And not for a day or a week, but for a whole year, which is a huge safety risk for parents and minors.
Data such as email addresses, social media messages, IMEI numbers, and GPS locations are more than enough to pinpoint a user. Some of the leaked group chats had specific school names and class designations in the title, further allowing the threat actor to narrow down the individual’s circle. They can also use the Sound Around feature to listen and record the child’s surroundings without their knowledge.
The leak also affected children who do not use the app
This data leak also affected children who do not have Kid Security installed on their phones. Their messages sent to children with this app were exposed. This included group discussions with the specifics mentioned above. The leak mainly affected people in the Russian Federation, Eastern Europe and the Middle East, although a significant number of people from other regions are also using the app.
Cybernews discovered this leak in February 2024. The cluster has been open since January 2023. During this period, it exposed over 100 GB of information. The researchers observed the cluster for more than an hour and received 456,000 private messages and app usage statistics from 11,000 phones. That’s an incredibly large amount of data compromised within an hour. Threat actors could use the information to launch more devastating attacks.
The publication reached out to the developers of Kid Security after discovering this data leak. The company subsequently secured the cluster, but the damage had already been done. Given that the leak hasn’t been patched in over a year, the developers probably haven’t been actively monitoring the cluster. The previous leak also revealed thousands of phone numbers, email addresses and activity records of the app’s users.
If you or someone you know uses Kid Security, it may be safer to uninstall it and switch to another parental control app. You should also remain vigilant about your child’s safety as the leak could have compromised your data.