This post is also available in: heעברית (Hebrew)

Parental control app “KidSecurity” which is used to track children has exposed its activity logs and endangered children’s data.

KidSecurity enables parents to track their children’s location, listen to the sounds around the child, and set gaming limits, and it has over a million downloads on Google Play. Earlier this September, researchers discovered that the app has failed to configure authentication for Elasticsearch and Logstash collections (commonly used tools for logs and event data analysis).

According to Cybernews, this oversight left user activity logs publicly available to anyone on the internet for over a month. The exposed data contained over 300 million records with private user information, including 21,000 telephone numbers and 31,000 email addresses. The app’s logs exposed users’ payment information, showing the first six and last four digits of credit cards, expiration month and year, and the issuing bank.

Furthermore, there are currently indications that unknown threat actors compromised the leaked KidSecurity data, with the open instance being hit by the ‘Readme’ bot and partially destroyed. Cybernews explains that open instances are constantly being hit by malicious botnets and then automatically destroyed. As part of this, the ‘Readme’ file is injected into the Elasticsearch server, containing a ransom note and BTC address for the transfer in exchange for the files.

Bob Diachenko, who first identified the leak stated: “The exposure of sensitive data, such as user emails, phone numbers, and payment information in a kids’ tracking mobile application, is of paramount importance due to the potential risks it poses. In the wrong hands, threat actors could misuse this information for identity theft, fraud, and unauthorized financial transactions, putting children and their families at significant risk. While location details were not exposed in this instance, the leak still represents a severe breach of privacy and security for the affected users.”