HackDig : Dig high-quality web security articles for hacker

uKnowKids Reacts to Data Breach in the Worst Possible Way

2016-02-26 22:50

Over the past week, security researcher Chris Vickery and child tracking platform uKnowKids had a public he-said, she-said spat, the company accusing the security researcher of "hacking" their systems.

Chris Vickery is known in security circles as the guy that randomly searches the Internet for unprotected MongoDB database servers. He's been doing this for the past few months and has uncovered massive data breaches in many companies, such as Microsoft, MacKeeper, Hello Kitty, OkHello, Slingo, iFit, Vixlet, and Hzone.

Continuing his usual work, Vickery stumbled upon an unprotected MongoDB server that belonged to uKnowKids. After accessing and downloading the database's data (on February 16 and 17) to verify its content, Vickery, as usual, contacted the company to let them know about their issue.

The he-said, she-said part

Instead of kisses and hugs, Vickery is saying that the company's CEO called him on his phone to make veiled threats for "hacking" their systems and for having unauthorized data on his computer.

uKnowKids then published a blog post on February 22, making it look like Vickery was ill-intended and was only masquerading as a security researcher.

Vickery fought back on MacKeeper's blog, accusing the company of being in violation of the Children's Online Privacy Protection Act (COPPA) by not having proper security measures in place to protect and prevent access to sensitive children information.

In spite of the fact that were in the year 2016, companies continue to respond in the worst and inappropriate ways to security researchers, especially when being informed of security incidents.

After much of social media has skewered uKnowKids for their unprofessional response, the company followed through on February 25 with another blog post, thanking Mr. Vickery, and also revealing the results of an internal investigation.

What really happened

To blame for the whole data breach was a MongoDB database deployed on December 28, 2015, that went into a production environment on January 15, 2016.

As it appears, this database had improper access rights, exposing over 6.8 million private text messages, nearly 2 million images (many depicting children), and more than 1,700 child profiles that included data such as first and last names, email addresses, dates of birth, GPS coordinates, social media access credentials, and more.

Edited sample of the exposed uKnowKids data
Edited sample of the exposed uKnowKids data

Vickery discovered this database, downloaded it, verified the data, and informed uKnowKids. As it appears from uKnowKids' blog posts, the company seems to have over-reacted to the whole incident because the same database also contained business data, trade secrets, intellectual property, and algorithms used by the uKnowKids platform.

It appears that Vickery did not want to delete the uKnowKids data, fearing he might get sued for slander and wanted to keep it as evidence of the company's failure to secure its server. In the end, Vickery deleted the data but took screenshots as a precaution.

uKnowKids' CEO Steve Woda says that the exposed database was patched 90 minutes after Vickery's email, that nobody else except Vickery downloaded the data, and that nobody except Vickery and two verified sources accessed the database during the time it was left exposed online.

Either way, this is just another example of how companies fear lawsuits from angry parents more than they understand that security researchers don't mean them harm when reporting a vulnerability.

Below is what uKnowKids claims it was exposed via the insecure MongoDB database.

Summary DataUnique Child Profiles
Parent Accounts1,1861,352
Parent Email Addresses243-
Child Email Addresses--
Credit Card Payment Information--
uKnowKids Passwords--
Data Channel Passwords--
Mobile Image URLs1,068,2501,086
Social Network Image URLs905,791670
Social Network Posts413,629856
Mobile Messages6,346,1611,189
Social Network Tags6,026233
Social Network Contacts47,766273

UPDATE: The article was updated to remove an incorrect statement about one of the companies Mr. Vickery helped that threatened to "infect him with AIDS." The company actually threatened a databreaches.net reporter, who aided Bickery in his research.


Source: 2YhVmci1SY0FGZt8GdtMHdjFWZy1yckl2a39mbrV3LzdXZu9SbvNmLhlGZlBHdm92cuM3dl52LvoDc0RHa/ca.ssr.dps

Read:4520 | Comments:0 | Tags:Data Breaches

“uKnowKids Reacts to Data Breach in the Worst Possible Way”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud