CEO of uKnowKids defends calling researcher "a hacker" for exposing security flaw on website

The CEO of an online company uKnowKids, which offers parents the ability to track their children's internet activity, has denied he acted inappropriately when he called a security researcher "a hacker" for disclosing a major security flaw on the website.

Steve Woda, who runs the US-based website, attempted to shift the blame over an issue involving a misconfigured database found to be storing sensitive data about children with little protection onto Chris Vickery, a well-known security researcher, who found and reported the issue.

Vickery uncovered the security lapse by using Shodan, which lists databases and Internet of Things (IoT) devices that are connected to the open internet. He then discovered millions of text messages and images from 1,700 so-called 'child profiles' were being stored with "no level of authentication".

Woda, after finding about the flaw, posted an update to his firm's website titled 'A uKnow database was breached by a hacker, and here are the facts as we know them right now', which effectively name-checked Vickery as the so-called "hacker" responsible for the incident.

The blog post stated: "Mr Vickery obviously did not and does not have authorisation to explore, copy, or control this private child data (or uKnow's intellectual property), and we expect him to comply with our requests immediately.

"If there is one lesson that has been reinforced for us with this hacker's data breach, it is this... there are bad actors out there on the internet and in our digital world that seek to exploit the vulnerabilities of our kids, our families, and our organisations for their own personal benefit."

Woda has now tried to play down the impact of his response. He told the BBC: "We're not running from it. I am super-thankful to Mr Vickery for sharing [his discovery] with us."

"Where the line was crossed was when we said: 'Can we reassure ourselves and our customers that the data we know has been exploited, will not be exploited?' During the phone call I asked him to delete [the data he had], he told us no, he wouldn't."

"If somebody takes your bike and you say give it back, are you intimidating them? I have no animosity. I just wish he would have respected our customers' data," he said. According to the BBC, he said he used the word "hack" not to slam the researcher but instead to convey to his customers the seriousness of the situation.

For his part, Vickery, who maintains that he took screenshots of the database to prove he had access to the weak database, responded by issuing a scathing rebuttal to Woda's claims. "The uKnowKids child-tracking platform claims to make 'Parenting Easier, and Keeps Kids Safe Online'. However, earlier this month I discovered they were doing just the opposite," he wrote. "One of the uKnowKids databases was configured for public access, requiring no level of authentication or password and providing no protection at all for this data.

"The lesson to learn here is that, if you're a parent, be wary of services that offer to monitor your child's online behaviour. These services collect unnerving amounts of data on your child and, when a breach occurs, all of that data can be exposed to untold numbers of people.

"Also, if you ever decide to do the right thing and notify a company that they are leaking data, try to keep all correspondence in written format. I've found that CEOs are much less willing to mind their manners in telephone conversations."

Vickery has played a part in the discovery of a number major incidents including the large-scale leak of US voter registration details, a Hello Kitty database that was spewing millions of credentials onto the web and a huge trove of user details from Kromtech, the company that makes MacKeeper.