uKnowKids database exposed personal info of 1,740 kids
Chris Vickery, while employed by and representing Kromtech, discovered and exploited a uKnow development / test servers almost 2 years ago that had not been properly configured, and uKnowKids immediately took care of the problem within 90 minutes of being alerted to the problem.
uKnowKids immediately contacted all of their customers and the FTC about the vulnerability, and they publicized the issue on their site and in the company communications to hundreds of thousands of people. uKnowKids provided full disclosure to every relevant party.
The FTC has never suggested that uKnowKids was in violation of COPPA, and at the time of the event, there was also a legal doubt as to whether COPPA even applied to uKnowKids in the first place.
uKnowKids.com database error exposed sensitive information on 1,700 kids.
uKnowKids.com gave public access to over 6.8 million private text messages, nearly 2 million images (many depicting children), and more than 1,700 detailed child profiles. This includes first and last names, email addresses, dates of birth, gps coordinates, social media access credentials, and more.
The uKnowKids child tracking platform claims to make “Parenting Easier, and Keeps Kids Safe Online.” However, earlier this month I discovered they were doing just the opposite. One of the uKnowKids databases was configured for public access, requiring no level of authentication or password and providing no protection at all for this data.
Find out how MacKeeper helps to keep you protected online and offline.
COPPA requires that a service such as uKnowKids.com “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.”
I dont know about you, but I would consider it not a “reasonable procedure” to give the public open, unfettered access to a database containing detailed child information. I know that uKnowKids.com is bound by COPPA because their CEO, Steve Woda, told me so in a telephone conversation.
In fact, during that very same phone call, Steve Woda tried all manner of intimidation tactics against me. I can only assume that this is because he doesnt want anyone reporting on the incident. Woda repeatedly insisted that I have acted inappropriately in my response to discovering and alerting his company to the gaping breach.
Furthermore, he tried to convince me that an outlet reporting on the breach could face liability under COPPA (a claim which is, of course, preposterous).
I was a bit surprised by Steves tone during that February 18th phone conversation. Just the previous day, he had sent me email messages such as the following:
Thank you again for alerting me to the data security breach that you discovered. I am super sensitive to ANY and EVERY security vulnerability (and in this case, breach), and so I am very, very thankful for your note […]
[…] you could easily put us out of business if we are not provided the opportunity to comprehensively deal with this appropriately […]
I have no interest in putting uKnowKids “out of business”. However, I do not appreciate it when someone is nice and agreeable in emails and then issues veiled threats over the phone.
Theres no way for me to know for sure how long this data was exposed to the public internet, although the information collected by Shodan.io suggests that the database had been up for at least 48 days. Theres also no way for me to know for sure how many people may have accessed the database during the exposed timeframe.
The lesson to learn here is that, if youre a parent, be wary of services that offer to monitor your childs online behavior. These services collect unnerving amounts of data on your child and, when a breach occurs, all of that data can be exposed to untold numbers of people.
Also, if you ever decide to do-the-right-thing and notify a company that they are leaking data, try to keep all correspondence in written format. Ive found that CEOs are much less willing to mind their manners in telephone conversations.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org