"KidSecurity’s user data compromised after app failed to set password", 30 November 2023

With more than a million downloads on Google Play, KidSecurity provides parents with services to track their children's location, listen to the sounds around the child to ensure safety, and set gaming limits.

...researchers discovered that the app failed to configure authentication for Elasticsearch and Logstash collections.

Elasticsearch and Logstash are commonly used tools for logs and event data analysis.

Due to KidSecurity’s oversight, user activity logs were left publicly available to anyone on the internet for more than a month, according to estimates.

The open instance contained over 300 million records with private user data, including 21,000 telephone numbers and 31,000 email addresses. The app’s logs also laid bare users' payment information, exposing the first six and last four digits of credit cards, expiration month and year, and the issuing bank.

Open Elasticsearch instances without adequate security measures, such as authentication and access controls, are targeted by malicious actors seeking to exploit vulnerabilities.

“The exposure of sensitive data, such as user emails, phone numbers, and payment information in a kids' tracking mobile application, is of paramount importance due to the potential risks it poses,” Bob Diachenko, who first identified the leak, told Cybernews.

“In the wrong hands, threat actors could misuse this information for identity theft, fraud, and unauthorized financial transactions, putting children and their families at significant risk. While location details were not exposed in this instance, the leak still represents a severe breach of privacy and security for the affected users.”

Cybernews has requested a comment but received no reply at the time of writing.