UKnowKids turns against researcher who found 1,700 children’s data was at risk
Child-focused security firm embroiled in row with security expert over insecure database
Child-tracking app uKnowKids.com has accused a security researcher of “hacking” its systems after he warned it that its data was at risk.
Researcher Chris Vickery found that one of uKnowKids.com’s databases was misconfigured on Monday, exposing 1,700 children’s detailed profiles, including email addresses, full names, dates of birth and even GPS co-ordinates for nearly 50 days.
The at-risk data also included 6.8 million personal messages and nearly two million images, many of which were of children.
This data was stored on a MongoDB database configured for public access, and Vickery claimed he did not even need a password to access it.
“I don’t know about you, but I would consider it not a 'reasonable procedure' to give the public open, unfettered access to a database containing detailed child information,” the Kromtech security researcher wrote on MacKeeper.
Steve Woda, CEO of the child safety app company, acknowledged the problem in a blog, and said his technology team patched the vulnerability 90 minutes after Vickery notified him.
He added that the leak affected just 0.5 per cent of the children uKnowKids is charged with protecting.
But he also questioned Vickery’s intentions, and wrote: “The hacker claims to be a ‘white-hat’ hacker which means he tries to obtain unauthorised access into private systems for the benefit of the ‘public good’.
“We are doing our best to fully identify Mr. Vickery in order to validate his stated ‘benign’ intentions.”
Woda wrote that Vickery notified uKnowKids of the data leak 12 minutes after downloading the database, having taken screenshots of business data and customer data.
The firm demanded that Vickery delete the downloads, which he did, but he has kept a number of screenshots, which he claimed to have redacted.
Speaking to CSOOnline, Vickery said he was holding onto the screenshots to ensure uKnowKids remains “(minimally) honest in their claims”.
He said that Woda expressed fears in an email conversation with him that revealing the database insecurity could put uKnowKids out of business.
Woda’s firm has reconfigured all encryption keys and data schemas to fend off cyber criminals, and has hired two security firms to help expose any other vulnerabilities in its systems. It also reported the breach to the Federal Trade Commission.