The developers of child-tracker app uKnowKids have responded to reports of a data breach, admitting an issue had also exposed its proprietary IP.
uKnowKids goes on to accuse the security researcher who uncovered its problems of "hacking" its data. The researcher involved, Chris Vickery, maintains he was acting in the public interest.
A misconfigured database at uKnowKids.com exposed the data of 1,700 children, their personal messages, social media profiles, and images. More than 6.8 million private text messages, nearly 2 million images (many depicting children), and more than 1,700 detailed child profiles were left exposed, according to Vickery. This includes first and last names, email addresses, dates of birth, GPS coordinates, social media access credentials, and more.
The insecure MongoDB installation was online for seven weeks before Vickery discovered it and reported the issue to uKnowKids, which responded promptly to tighten the security of its systems. This quick response ought to be weighed against its failure to secure highly sensitive info of youngsters in the first place.
Steve Woda, chief exec of uKnow and uKnowKids, admitted the issue while criticising Vickery and expressing doubt about his motives in an advisory to customers.
It is with significant regret that I share with you the news that uKnow had a private database repeatedly breached by a hacker using two different IP addresses on February 16, 2016 and February 17, 2016.
The hacker claims to be a "white-hat" hacker which means he tries to obtain unauthorized access into private systems for the benefit of the "public good". Although we do not approve of his methods because it unnecessarily puts customer data and intellectual property at risk, we appreciate his proactive, quick notification as it was helpful to our team.
Woda goes on to admit the vulnerable database hosted confidential information on one in 200 of the children kept under tabs at the request of their parents by the firm.
The vulnerable database included proprietary intellectual property including customer data, business data, trade secrets, and proprietary algorithms developed to power some of uKnow's most important technology.
With respect to customer data, no financial information or unencrypted password credentials were vulnerable. However, names, communications, and URL data was exposed for about 0.5% of the kids that uKnowKids has helped parents protect online and on the mobile phone.
uKnow's technology team patched the database vulnerability within 90 minutes of discovery.
Vickery was reluctant to comply with uKnowKids.com’s request to destroy the information he downloaded from the insecure database. He has retained screenshots of the leaked data, which have been published but only after redaction. This remains a point of contention.
uKnowKids’s Woda said that FTC has been informed of the breach. “uKnow goes to great effort and expense to fully comply with the FTC's COPPA [Children's Online Privacy Protection Act] regulations, and we believe we are in full compliance at this time,” Woda added.
Vickery told CSOonline that he was retaining screenshots of the leaked data in order to keep uKnowKids “honest” about its future handling of the incident.
“I securely wiped it within 48 hours and notified uKnowKids of this fact,” Vickery explained. “However, the few retained screenshots are completely redacted of all Personally Identifiable Information and are being kept for purposes of credibility and to keep uKnowKids (minimally) honest in their claims."
Vickery’s take on his discovery and his subsequent dispute with Woda and uKnowKids during the disclosure process can be found here. ®