uKnowKids Goes On Attack After Database Of 1,700 Kids Found Insecure

The CEO of uKnowKids attacks a security researcher for alerting him to an insecure database of kids and corporate secrets.

Child safety firm uKnowKids is blasting a security researcher who discovered the company exposed 1,700 identities of the children they were supposed to be protecting.

On Monday, security researcher Chris Vickery alerted uKnowKids, a company that helps parents keep tabs on their kid’s online activities, that one of its databases containing sensitive company information and the names of children was publicly accessible. Vickery, later revealed, the database contained gigabytes of sensitive child data including 6.8 million text messages, 1.8 million images and detailed profiles of 1,740 children.

Instead of showing gratitude, Steve Woda, chief executive of uKnowKids, blasted Vickery accusing him of hacking into his company’s computer systems and breaching one of its servers. In an open letter to his customers, Woda wrote: “It is with significant personal regret that I share with you the news that uKnow had a private database repeatedly breached by a hacker.”

Woda said 0.5 percent of the 260,000 children uKnowKids helps protect had “names, communications and URL data” accessible on the publicly accessible server. Woda said uKnow patched the database vulnerability within 90 minutes of Vickery bringing it to his attention.

Vickery fired back with a post to the MacKeeper website on Tuesday accusing uKnowKids of being in violation of the Children’s Online Privacy Protection Act (COPPA). Vickery wrote:

“COPPA requires that a service such as uKnowKids.com ‘establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.’ I don’t know about you, but I would consider it not a ‘reasonable procedure’ to give the public open, unfettered access to a database containing detailed child information.”

Child data included names, images, email IDs, GPS coordinates, and social media accounts, Vickery said.

Woda’s concerns also included Vickery’s “unauthorized access to uKnow’s private database” accusing him of downloading “proprietary customer data, business data, database schemas and field names, trade secrets, curated data dictionaries and algorithms.”

Woda claims that Vickery has partially complied with his request to delete sensitive business information. However, according to Woda, Vickery has refused to delete an unknown quantity of screen shots revealing uKnow’s “intellectual property.”

For security researchers, Vickery and Woda’s public feud is all too familiar. “We have been fighting this battle as security researchers for longer than I can remember,” said Tyler Shields, vice president marketing, partnerships, and strategy at security firm Signal Sciences. “Without knowing the details of this particular case I can’t comment on the specifics. But what I can tell you is researchers have been threatened with lawsuits for as long as vulnerabilities have existed.”

According to Vickery’s research, the database was configured for public access for the past 48 days leading up to his discovery last Wednesday. Vickery said he stumbled on the open database using the Shodan search engine that specializes in finding routers, servers and industrial control computers.

According to Woda, Vickery accessed his firm’s servers periodically over a two-day period before notifying uKnow of the insecure server. Vickery claims Woda was at first appreciative of the discovery, but later in phone conversations turned accusatory.

“I do not appreciate it when someone is nice and agreeable in emails and then issues veiled threats over the phone,” Vickery wrote. One of the lessons Vickery says he learned: “If you ever decide to do-the-right-thing and notify a company that they are leaking data, try to keep all correspondence in written format. I’ve found that CEOs are much less willing to mind their manners in telephone conversations.”

“If it’s attackable and hackable you have to have a way to respond to incidents,” Shields said. “Just responding with veiled threats is absolutely not the right way to respond. The right way is to determine what a researcher found, how they found it and are they there to help you. You need to work with people like this and not against them,” he said.

Suggested articles

Discussion

  • Chris Vickery on

    Hey Tom. This is Chris Vickery, the security researcher. Great article! I really appreciate the coverage. There is one typo thought that should probably be corrected. The article currently says "'I do not appreciate it when someone is nice and agreeable in emails and then issues veiled threats over the phone,'” Woda wrote" I'm actually the one that said that line, not Woda. He was the one issuing veiled threats against me. Thanks!
  • Bella J on

    A BBC News article sharing the other side of the story. Chris Vickery may have some explaining to do too. Calling yourself a “researcher” does not automatically make you trusted. What do you say Chris? Why should this company trust you to not abuse or misuse their data and property? What makes you special? If you were in the other side's shoes, how does that make them confident that they can trust you? As a CIO, I don't think I would have taken a stranger's word that he could be trusted with such sensitive information. No way! uKnowKids defends response to data breach alert - BBC News http://www.bbc.com/news/technology-35659828
  • brian on

    Never nice to be told you have a security problem, but never a good idea to shoot the messenger! Imagine what the CEO would have had to do if the data had been collected by someone with evil intent....

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.