Recently, a concerning data leak involving sensitive information about children, including their geolocation and personal messages, has been uncovered as a result of the flaws in the development of the Kidsecurity parental control application.
The issue was first brought to light by the Cybernews research group in February. It was discovered that data collected from minors had been accessible to all users for over a year due to a misconfiguration in the Authentication system Kafka Broker Cluster. Analysis revealed that the leak impacted users worldwide, including those in Eastern Europe and the Middle East.
The Kidsecurity app, with over 1 million downloads on Google Play, is designed to allow parents to monitor their children’s location, control their digital interactions, and even listen to their surroundings to ensure their safety.
Among the leaked information were messages from various social networks, email addresses of parents, IP addresses, information about transactions in the App Store, lists of installed applications, audio recordings of minors, device details, battery levels, IMEI numbers, and other metadata.
This is not the first time the app has faced security issues. In 2023, a similar incident occurred when over 300 million records with users’ personal data were exposed due to improper authentication settings.
The main reason behind the recent data leak was an open Kafka Broker cluster, which allowed personal information to flow unchecked, giving attackers access to a vast amount of data. Upon discovering the open cluster, Cybernews found over 100 GB of stored information, including 456,000 personal messages and app statistics from 11,000 devices, within just one hour. The access to the cluster was only closed after Cybernews alerted the company.
This negligence not only jeopardizes the confidentiality of the children involved but also opens the door for cybercriminals to exploit the data, posing a potential security threat.
It’s essential for developers to prioritize security measures to protect the privacy and safety of users, especially when it comes to applications aimed at children.
*META and its products are recognized as extremist, and their activities are prohibited in the territory of the Russian Federation.