The bad news: millions of messages and images of 1,700 kids were exposed by a site that – ironically! – helps parents babysit their offsprings’ mobile chats, social media doings and locations.
The good news: the site, uKnowKids.com, snapped the window shut on that info-disgorging breeze faster than you can say “Hello, Kitty!”
Unfortunately, to wrap it all up with a snarky bow, CEO Steve Woda put out an advisory in which he shot the messenger.
That messenger was security researcher Chris Vickery, who’s been using Shodan, a search engine for internet-connected devices, to shake a great deal of improperly configured MongoDB databases out of the trees, like those at MacKeeper, Sanrio’s Hello Kitty and Hzone, a dating app for HIV-positive people, among others.
In his advisory, Woda thanked Vickery for the heads-up, with a liberal dash of we hate that you did this (and no, we didn’t add the sarcastic strike-out or the air quotes):
It is with significant regret that I share with you the news that uKnow had a private database repeatedly breached by a hacker using two different IP addresses on February 16, 2016 and February 17, 2016.
The hacker claims to be
a “white-hat” hackera “security researcher” or “white hat hacker” or “ethical hacker” which means he tries to obtain unauthorized access into private systems for the benefit of the “public good”. Although we do not approve of his methods because it unnecessarily puts customer data and intellectual property at risk, we appreciate his proactive, quick notification as it was helpful to our team.
On Tuesday, Vickery said in a post that he had discovered that one of uKnowKids’ databases was configured for public access, “requiring no level of authentication or password and providing no protection at all for this data.”
According to what Shodan picked up, that database looks to have been wide open for at least 48 days.
During that time, anybody could have gotten access to over 6.8 million private text messages, nearly 2 million images (many depicting children), and more than 1,700 detailed child profiles that include first and last names, email addresses, dates of birth, GPS coordinates, social media access credentials, and more, Vickery said.
Woda admitted that the vulnerable database hosted proprietary information (though no financials) that includes confidential data on one in 200 of the children that the company tracks at their parents’ request.
The vulnerable database included proprietary intellectual property including customer data, business data, trade secrets, and proprietary algorithms developed to power some of uKnow’s most important technology.
With respect to customer data, no financial information or unencrypted password credentials were vulnerable. However, names, communications, and URL data was exposed for about 0.5% of the kids that uKnowKids has helped parents protect online and on the mobile phone.
uKnowKids patched the hole within 90 minutes of Vickery’s contacting the company, Woda said.
…and then it turned its attention to two IP addresses it associated with this Vickery guy, Woda said – the guy who was snapping screenshots of uKnowKids’ data – as it tried to “validate his stated ‘benign’ intentions.”
Things got particularly weird when Vickery and Woda took it to a phone conversation, from the sounds of it.
You can read Vickery’s take on the back-and-forth in this disclosure spat and decide for yourself whose side you’re on.
Bear in mind that this breach is complicated by the fact that the information at stake relates to kids.
That makes its keepers responsible under the Children’s Online Privacy Protection Act (COPPA).
According to the Federal Trade Commission (FTC), operators of a website or online service with knowledge that they’re collecting, using, or disclosing personal information from children under 13 must “…establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.”
uKnowKids notified the FTC of the breach.
It also asked Vickery to destroy the information he downloaded from the insecure database.
As Vickery tells it, Woda also told him, in a phone conversation, that the security researcher himself could get into COPPA trouble for having kids’ information: a claim that Vickery dismissed as “preposterous.”
Vickery told CSOonline that he’s keeping the screenshots of the leaked data, which he’s published in redacted form.
He also freely admitted that he’d downloaded the vulnerable database. Why not? he said. It was, after all, freely available to anybody:
Oh yes, definitely. As is the right of any member of the public accessing information that is configured for public access and being offered to the public.
Vickery said he was keeping copies of the leaked data in order to keep uKnowKids “honest” about the incident.
I securely wiped [the database] within 48 hours and notified uKnowKids of this fact.
However, the few retained screenshots are completely redacted of all Personally Identifiable Information and are being kept for purposes of credibility and to keep uKnowKids (minimally) honest in their claims.
There’s obviously a lot of fur flying.
Readers, who has your sympathy in this case? Please let us know in the comments below.