Sensitive child profiles, private messages exposed online

Security researcher Chris Vickery has discovered another database containing sensitive user data exposed online (i.e. accessible via Internet). Leveraging Shodan, he unearthed a database compiled and used by US-based uKnowKids, a company that helps parents monitor what their kids do online and on the mobile phone.

“In violation of the Children’s Online Privacy Protection Act (COPPA), uKnowKids.com gave public access to over 6.8 million private text messages, nearly 2 million images (many depicting children), and more than 1,700 detailed child profiles. This includes first and last names, email addresses, dates of birth, gps coordinates, social media access credentials, and more,” Vickery noted in a blog post, adding that the “databases was configured for public access, requiring no level of authentication or password and providing no protection at all for this data.”

Vickery notified the company about this problem mere minutes after he accessed the database, and according to uKnowKids CEO Steve Woda, the company’s “technology team patched the database vulnerability within 90 minutes of discovery.”

But even though Woda initially thanked Vickery for the heads-up, he’s obviously not satisfied with the fact that the Vickery accessed the database, took screenshots, and downloaded it – all without permission.

“The vulnerable database included proprietary intellectual property including customer data, business data, trade secrets, and proprietary algorithms developed to power some of uKnow’s most important technology,” says Woda.

He confirmed that names, communications, and URL data for about 0.5% of the kids that uKnowKids has helped protect were exposed, but that no financial information or unencrypted password credentials were vulnerable.

After patching the flaw that let Vickery in, the company analyzed its systems for other flaws and to check who else might have obtained unauthorized access to their systems.

Along several other security measures implemented in the wake of the breach, the company has also hired two third-party security firms to try to breach their systems “on an ongoing and continuous fashion,” so they can identify any future vulnerabilities as quickly as possible and prevent future breaches.

They have also demanded Vickery to delete all copies of the data he exfiltrated from the database and the screenshots he made. According to Woda, he deleted the copies of the database, but is currently unwilling to delete the screenshots.

Vickery claims that shortly after he was contacted by Woda via email and was thanked for his notification about the publicly accessible database, he also got a phonecall from the CEO, who then tried to intimidate him, most probably because he wanted him to keep the whole incident secret. It obviously didn’t work.

“There’s no way for me to know for sure how long this data was exposed to the public internet, although the information collected by Shodan.io suggests that the database had been up for at least 48 days. There’s also no way for me to know for sure how many people may have accessed the database during the exposed timeframe,” noted Vickery.

“The lesson to learn here is that, if you’re a parent, be wary of services that offer to monitor your child’s online behavior. These services collect unnerving amounts of data on your child and, when a breach occurs, all of that data can be exposed to untold numbers of people.”