The bad news: millions of messages and images of 1,700 kids were exposed by a site that – ironically! – helps parents babysit their offsprings’ mobile chats, social media doings and locations.
The good news: the site, uKnowKids.com, snapped the window shut on that info-disgorging breeze faster than you can say “Hello, Kitty!”
Unfortunately, to wrap it all up with a snarky bow, CEO Steve Woda put out an advisory in which he shot the messenger.
That messenger was security researcher Chris Vickery, who’s been using Shodan, a search engine for internet-connected devices, to shake a great deal of improperly configured MongoDB databases out of the trees, like those at MacKeeper, Sanrio’s Hello Kitty and Hzone, a dating app for HIV-positive people, among others.
In his advisory, Woda thanked Vickery for the heads-up, with a liberal dash of we hate that you did this (and no, we didn’t add the sarcastic strike-out or the air quotes):
It is with significant regret that I share with you the news that uKnow had a private database repeatedly breached by a hacker using two different IP addresses on February 16, 2016 and February 17, 2016.
The hacker claims to be
a “white-hat” hackera “security researcher” or “white hat hacker” or “ethical hacker” which means he tries to obtain unauthorized access into private systems for the benefit of the “public good”. Although we do not approve of his methods because it unnecessarily puts customer data and intellectual property at risk, we appreciate his proactive, quick notification as it was helpful to our team.
On Tuesday, Vickery said in a post that he had discovered that one of uKnowKids’ databases was configured for public access, “requiring no level of authentication or password and providing no protection at all for this data.”
According to what Shodan picked up, that database looks to have been wide open for at least 48 days.
During that time, anybody could have gotten access to over 6.8 million private text messages, nearly 2 million images (many depicting children), and more than 1,700 detailed child profiles that include first and last names, email addresses, dates of birth, GPS coordinates, social media access credentials, and more, Vickery said.
Woda admitted that the vulnerable database hosted proprietary information (though no financials) that includes confidential data on one in 200 of the children that the company tracks at their parents’ request.
The vulnerable database included proprietary intellectual property including customer data, business data, trade secrets, and proprietary algorithms developed to power some of uKnow’s most important technology.
With respect to customer data, no financial information or unencrypted password credentials were vulnerable. However, names, communications, and URL data was exposed for about 0.5% of the kids that uKnowKids has helped parents protect online and on the mobile phone.
uKnowKids patched the hole within 90 minutes of Vickery’s contacting the company, Woda said.
…and then it turned its attention to two IP addresses it associated with this Vickery guy, Woda said – the guy who was snapping screenshots of uKnowKids’ data – as it tried to “validate his stated ‘benign’ intentions.”
Things got particularly weird when Vickery and Woda took it to a phone conversation, from the sounds of it.
You can read Vickery’s take on the back-and-forth in this disclosure spat and decide for yourself whose side you’re on.
Bear in mind that this breach is complicated by the fact that the information at stake relates to kids.
That makes its keepers responsible under the Children’s Online Privacy Protection Act (COPPA).
According to the Federal Trade Commission (FTC), operators of a website or online service with knowledge that they’re collecting, using, or disclosing personal information from children under 13 must “…establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.”
uKnowKids notified the FTC of the breach.
It also asked Vickery to destroy the information he downloaded from the insecure database.
As Vickery tells it, Woda also told him, in a phone conversation, that the security researcher himself could get into COPPA trouble for having kids’ information: a claim that Vickery dismissed as “preposterous.”
Vickery told CSOonline that he’s keeping the screenshots of the leaked data, which he’s published in redacted form.
He also freely admitted that he’d downloaded the vulnerable database. Why not? he said. It was, after all, freely available to anybody:
Oh yes, definitely. As is the right of any member of the public accessing information that is configured for public access and being offered to the public.
Vickery said he was keeping copies of the leaked data in order to keep uKnowKids “honest” about the incident.
I securely wiped [the database] within 48 hours and notified uKnowKids of this fact.
However, the few retained screenshots are completely redacted of all Personally Identifiable Information and are being kept for purposes of credibility and to keep uKnowKids (minimally) honest in their claims.
There’s obviously a lot of fur flying.
Readers, who has your sympathy in this case? Please let us know in the comments below.
Anonymous
The security researcher, without question. He has helped that company by closing down a massive weakness, and the notion he would be in trouble is laughable.
Bella J
It is not laughable if the researcher failed to protect and respect the company assets after he obtained it.. Data, IP, etc.. That is a serious issue. He has a duty of care that is very high. If he failed to use great care, he can cause as much damage as any hacker can. Very serious stuff for both the company and the researcher.
Paul Ducklin
+1.
I suspect that most Naked Security readers will have at least some antipathy for Chris Vickery, who seems to think that two wrongs make a right.
In his case, he’s suggesting that it was OK to download the whole database on the grounds that it was “the right of any member of the public [to] access information that is configured for public access and being offered to the public,” which strikes me as morally questionable (and legally unlikely). After all, Vickery knew full well it *wasn’t* supposed to be accessible to the public, because that’s the whole point he’s trying to make. If you accidentally leave a suitcase full of money at the bus stop, that doesn’t give me the right to take it and keep it for myself “because anyone else could have done the same.” If I took it, I might never get found out, but I’d still be in the wrong: I’d have known knew jolly well it wasn’t mine; I’d have been pretty certain that you didn’t intend to leave it there. The money still belongs to you, and I’m supposed to hand it in…
Bella J
There are two sides to every story, and it looks like the BBC just shared the other side’s story.
Chris Vickery may have some explaining to do too. Calling yourself a “researcher” does not make you ethical.
justiceISfake
if you drop a newspaper on the ground and you wrote down some PII on it… if i pick it up are you going to shoot me? Dont be an idiot like the CEO of this company. He obviously has power issues. NEVER TRUST A SUIT!!!!
Anonymous
I think you can probably guess whose side most Naked Security readers will be on. I can understand the CEO’s frustration at wanting to keep the details under wraps, but trying to hide things like this just makes it worse. With the kind of information this company has, they really should have done a better job at security, including audits, which would have caught this problem well before the researcher found it.
Guy
I agree with anonymous.
This is the problem with C-Level executives who lack even the most basic concept of data protection, whether technical or legislative. If this was Europe, uKnow would be in hot, hot water for such horrible non-compliance of data protection laws. Heaven help anyone who does this when the GDPR comes in!
Bella J
To be clear, the uKnowKids seems to have disclosed everything. Why are you suggesting that they did not make disclosures?