The database of a child-monitoring website holding the private details of over 1,700 children has been exposed online for leaving names, images, email IDs, GPS coordinates, and social media accounts open to exploitation, it has been revealed.
The US-based site called uKnowKids, which allows parents to monitor the online activity of children surfing the web, was discovered to have a 'misconfigured database' and found online via the Shodan search engine by well-known security researcher Chris Vickery.
Upon discovery, Vickery who found the database storing gigabytes of sensitive child data including 6.8 million text messages and 1.8 million images had been exposed for nearly 50 days, quickly reported the incident to the company who resolved the incident within 90 minutes.
uKnowKids confirmed the data breach does not affect any financial details and login credentials, although names, communications and URL data were exposed. Yet the response, from Steve Woda, chief executive of uKnowKids has been mired in controversy after he publicly slammed Vickery for his methods and branded the researcher a 'hacker'.
"The hacker claims to be a "white-hat" hacker which means he tries to obtain unauthorized access into private systems for the benefit of the "public good". Although we do not approve of his methods because it unnecessarily puts customer data and intellectual property at risk, we appreciate his proactive, quick notification as it was helpful to our team," wrote Woda in a statement.
"We immediately initiated an exhaustive forensics analysis of all uKnow systems to determine the potential scope of the vulnerability, to identify any other vulnerabilities, and to identify parties who obtained unauthorised access to our systems.
"The vulnerable database included proprietary intellectual property including customer data, business data, trade secrets, and proprietary algorithms developed to power some of uKnow's most important technology. With respect to customer data, no financial information or unencrypted password credentials were vulnerable. However, names, communications, and URL data was exposed for about 0.5% of the kids that uKnowKids has helped parents protect online and on the mobile phone.
uKnowKids weak security
In light of this, Vickery returned with a scathing blog post slamming the firm's weak security practices and the tone of the statement put out by uKnow's CEO.
"Steve Woda tried all manner of intimidation tactics against me," he revealed about their initial conversations. "I can only assume that this is because he doesn't want anyone reporting on the incident. Woda repeatedly insisted that I have acted inappropriately in my response to discovering and alerting his company to the gaping breach."
Additionally, the researcher said he had 'no interest' in putting uKnowKids out of business and that his disclosure is in the interest of security. Vickery claims to have deleted the downloaded database entirely, but he is unwilling to delete the screenshot copies of uKnow's intellectual property.
"The uKnowKids child tracking platform claims to make "Parenting Easier, and Keeps Kids Safe Online." However, earlier this month I discovered they were doing just the opposite," he said.
"One of the uKnowKids databases was configured for public access, requiring no level of authentication or password and providing no protection at all for this data.
A wakeup call
"We believe that protecting a child's digital identity is just as important as protecting a child's Social Security Number or other sensitive information. The potential for abuse or safety risks involved with the unsecured data collection of children is a nightmare that no parent ever wants to be faced with," Chris Vickery told CSOonline.
"As the use of 'Child Tracking' software applications and services continues to grow in popularity, this is big a wakeup call to the entire industry to secure, encrypt, and protect the information they collect on children," he added.
"The lesson to learn here is that, if you're a parent, be wary of services that offer to monitor your child's online behaviour. These services collect unnerving amounts of data on your child and, when a breach occurs, all of that data can be exposed to untold numbers of people."
For their part, uKnowKids has now started to purchase 'Norton Safe Shopping Guarantees' for every uKnowKids customer and reported the incident to the Federal Trade Commission.