Child-Monitoring Company Responds To Notification Of Security Breach By Publicly Disparaging Researcher Who Reported It

from the got-a-full-clip-of-'thank-yous'-with-your-name-on-it dept

“Thanks for letting us know about this! We’ll get it fixed immediately!” said almost no company ever.

There’s a long, but definitely not proud, tradition of companies shooting the messenger when informed of security flaws or possible breaches. The tradition continues.

uKnowKids is monitoring software parents can install on their children’s cell phones that allows them to track their child’s location, as well as social media activity, text messages and created media. As such, it collects quite a bit of info.

The information on your child collected includes:

  • the online profile/screen names, mobile telephone numbers and email addresses associated with the Linked Accounts and the people communicating with the Linked Accounts and devices and in certain situations, the text of the online or mobile phone SMS or MMS conversations themselves;
  • the geographic location and time and date associated with a specific geographic location of your Linked Account mobile device;
  • your Linked Accounts’ social networking activity and contacts;
  • photographs sent, received or uploaded by your Linked Account;
  • the websites visited from your Linked Account mobile device; and
  • the applications installed on your Linked Account mobile device.

That’s a lot of data, all related to children. This should be kept locked up tight. Unfortunately, it wasn’t.

Chris Vickery, who now blogs about security over on MacKeeper, alerted this site that a misconfigured MongoDB installation exposed over 6.8 million private child text messages, 1.8 million images (many depicting children, according to Chris), and over 1700 in-depth child profiles.

The data reportedly included full names, email addresses, GPS coordinates, dates of birth, and much more, although Chris tells DataBreaches.net that he did not see payment info or parent details exposed.


Vickery did the right thing and notified uKnowKids. The security hole was closed. But the company wasn’t interested in thanking Vickery for his efforts. Instead, as the Office of Inadequate Security notes, the company decided to notify its customers in a rather unusual fashion. A post at the company’s site completely misconstrues the chain of events.

Here’s the BS headline.


And here’s the BS text:

It is with significant personal regret that I share with you the news that uKnow had a private database repeatedly breached by a hacker using two different IP addresses on February 16, 2016 and February 17, 2016.

The hacker claims to be a “white-hat” hacker a “security researcher” or “white hat hacker” or “ethical hacker” which means he tries to obtain unauthorized access into private systems for the benefit of the “public good”. Although we do not approve of his methods because it unnecessarily puts customer data and intellectual property at risk, we appreciate his proactive, quick notification as it was helpful to our team.

The passive aggression continues later in the post.

The first IP address that obtained unauthorized access to uKnow’s private database was 65.36.124.81. We believe this IP address is associated with Mr. Christopher Vickery in Austin, Texas, but we don’t have confirmation of that fact yet.

Mr. Vickery claims to work at a prominent law firm by day and exploit vulnerable technology systems at night. We do not have any additional background information on Mr. Vickery, but we are doing our best to fully identify Mr. Vickery in order to validate his stated “benign” intentions.

The second IP address (209.144.254.123) that accesed uKnow’s private database in an unauthorized manner is reportedly associated with Mr. Vickery’s full-time employer in Austin, Texas. Again, we don’t yet have confirmation on who owns this IP address or the IP address owner’s official connection with Mr. Vickery, but this is the early information we have been able to determine so far.

The post goes on to insinuate that Vickery has some sort of malignant interest in holding onto uKnow’s code.

The database also included uKnow’s proprietary natural language processing engine technology and data including our proprietary algorithms that power uKnow’s technology.

We have repeatedly requested that Mr. Vickery permanently delete any and all copies of uKnow’s intellectual property including iits proprietary customer data, business data, database schemas and field names, trade secrets, curated data dictionaries and algorithms.

After initial resistance, Mr. Vickery claims to have deleted the downloaded database in its entirety. However, he has reportedly retained an uknown number of screenshot copies of uKnow’s intellectual property, and is so far unwilling to permanently delete this information. In an effort to protect our customers and stakeholders, we contine to request the destruction of any and all copies of uKnow’s database including screenshots which are, in fact, copies of uKnow’s database.

It also suggests Vickery’s possession of screenshots might somehow violate COPPA (a law ensuring the privacy of data generated by children) and has apparently reported him to the FTC.

We have contacted the Federal Trade Commission for guidance and to report the breach. uKnow goes to great effort and expense to fully comply with the FTC’s COPPA regulations, and we beleive we are in full compliance at this time.

uKnow’s demand for Mr. Vickery to delete ALL copies of uKnow’s database was obviously driven by our desire to protect our uKnowKids customers, but also to fully comply with COPPA requirements that we do not knowingly allow any third parties access to child data without first having affirmative, verifiable permission from parents. Mr. Vickery obviously did not and does not have authorization to explore, copy, or control this private child data (or uKnow’s intellectual property), and we expect him to comply with our requests immediately.

Nowhere in this long statement questioning Vickery’s intent is there an apology for the breach. There are no unqualified statements of gratitude. Vickery’s history of finding misconfigured databases is well-documented, as is his standard operating procedure of notifying affected companies immediately and destroying any data he obtained while investigating these leaky databases.

Instead of simply fixing the hole and informing affected customers, uKnow decided to publicly disparage the person who alerted it of the issue. It’s responses like these — along with continual abuse of computer security laws — that make security researchers leery of informing affected parties. Informing someone of a security hole shouldn’t be greeted with antagonism and legal threats. But that’s the default operating mode, one that only ensures security holes discovered in the future are less likely to be reported.

Filed Under: , , , , , ,
Companies: uknowkids

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Child-Monitoring Company Responds To Notification Of Security Breach By Publicly Disparaging Researcher Who Reported It”

Subscribe: RSS Leave a comment
37 Comments
That One Guy (profile) says:

When will they learn...

Vickery’s history of finding misconfigured databases is well-documented, as is his standard operating procedure of notifying affected companies immediately and destroying any data he obtained while investigating these leaky databases.

Given reactions like this are not overly rare(though I must admit this company went above and beyond in shooting the messenger in the CYoA attempt), notifying a company of a security flaw is just asking for trouble. Make the flaw public, do so anonymously, and let the company deal with the fallout.

tqk (profile) says:

Re: Re: When will they learn...

But maybe if those white hat people started actually releasing stuff in the wild and real damages start happening …

Those damages would hit first those on the front line; researchers who find this stuff.

It used to be when you found a small child wiping its eyes calling for its mother, you’d take it under your wing and help it find her. This encourages you to run away instead, lest you be accused of molesting a child.

Stupid century.

Josh in CharlotteNC (profile) says:

Re: When will they learn...

Even disclosing a vulnerability anonymously poses issues. If you stumble across a vulnerability in a service you use in the normal coarse of using it, there could be a trail leading back to you. When a company gets that anonymous tip and starts going back through their logs, you could be implicating yourself.

That One Guy (profile) says:

Re: Re: When will they learn...

The way I see it someone who stumbled upon a vulnerability has three options(assuming white-hat anyway, black hats have several more).

1. Ignore it. If the vulnerability is serious enough, and you use the service, distance yourself from it as quickly as possible.

2. Inform the company privately. While the ‘polite’ option, this also carries the chance that the company will react in a fashion similar to that displayed in this example, and prioritize shooting the messenger and CYoA over fixing the problem.

3. Inform the public anonymously. The safer option for the one disclosing the vulnerability, this however is much more painful to the company and it’s customers, as they’re finding out about the vulnerability at the same time as those who might take the opportunity to exploit it, which means they have to scramble like mad to find a fix.

If so many companies didn’t have a penchant for shooting the messenger, then #2 would be the clear ‘best’ option for everyone involved, but as it stands #3 and #1 are much safer for those that stumble upon problems, with #3 being painful for the company in the short term, while #1 has the potential to be even worse long-term when the vulnerability is found by someone more interested in making use of it for their own gain.

While it’s possible that someone that goes with #3 could still be found out the odds are drastically less than #2, and at least it ensures that something will be done with regards to the vulnerability.

kallethen says:

When I eventually will allow my son to have a cell phone, I won’t be relying on software like this. I certainly don’t feel safe with sharing all that information with a third party.

I’ll take the same approach I do with his laptop: Set some ground rules about social media, check in on him every now and then, explain why those are the rules, and check in on what he’s doing regularly.

It’s amazing what some trust and communication can do. Of course, I’ll readily say I’m very lucky he’s pretty responsible.

Anonymous Coward says:

Re: Re: Re:

My dad had the rule of giving me total privacy on my computer, but with the allowance that he was randomly going to pop in and say “Hands up and off the keyboard and mouse” and check what I currently had active.

Granted this wouldn’t work well with a troubled kid, as I was particularly vanilla about my rebelliousness, but it does get the best of both worlds in my opinion.

Anonymous Coward says:

Well...

You would be pissed if someone else pulled your pants down too!

But I think the public deserved to know, because when someone pulled these guys pants down… we found children!

I think a “for the children” response should be warranted here and start pulling the pants down on several other organizations saying we keep shit secure!

Anonymous Coward says:

Re: One oddity noticed

It’s called managing the message/damage control, while folks here at techdirt are usually able to see that, most other folks are not.

A lot of organizations pay good money to people able to misdirect anger so that the real dirt bags do not get the focus. This company is going to do its best to spin this like they are an honest company that did their best until some scumbag came along, broke in, and then stole shit like a common criminal. Please feel sorry for us and will will now expend effort in trying to keep these meanies away from your precious kids…

Anonymous Anonymous Coward says:

Re: Re: One oddity noticed

I get that the idea of perfection is just that, an idea, but wouldn’t the company be doing their best if the hacker (white hat, black hat, ethical, or criminal) couldn’t get in?

Just short of that, how about noticing that someone was playing in their playpen? It doesn’t appear that they did notice, until told.

Peter (profile) says:

>>We have repeatedly requested that Mr. Vickery permanently delete any and all copies of […].

Or, in other words, we have made sure that IF the appropriate authorities finally pull the finger out of their ass and start investigating who else may have downloaded private data, they will find no evidence at all.

Obstruction of justice or compliance with COPPA?

Anonymous Coward says:

‘There’s a long, but definitely not proud, tradition of companies shooting the messenger when informed of security flaws or possible breaches’

i believe we have to hold our hands up, here in the USA, dont we? let’s face it, it’s on par with the attitude that no one should ever have the audacity to think there is anything wrong with anything in the USA and to actually prove it when there is, is committing the cardinal sin! the fact that those who are affected by the failing of something are supposed to say nothing and do nothing other than be proud that they were among those when as much as could be gleaned from the companies concerned, was gleaned! that doesn’t normally affect anyone at the company because they manage to keep their information separate from customers, but when it becomes known that was something that could have been done to have prevented the problem, that’s when the company starts throwing hand grenades at those who found the breakdown in the first place and told the company!!

Cjones says:

Proposal, YWS

I propose, as a new standard with its own acronym, “you were stupid” or YWS. YWS applies, and may be given as an answer that concludes the discussion, in the following circumstances: *

1. A person voluntarily gives information over which he has control to a corporation or government organization.
2. That information is not public, that is, he wouldn’t publish it in a newspaper or on a blog.
3. That information is leaked, sold, or otherwise transferred.
4. The person who originally gave the information complains.

The proper and reasonable answer, after these twenty years of global network access, is simply YWS. Note that stupid, in this context, indicates both an intellectual and moral failing.
As for shooting the messenger, does anyone honestly expect anything else?

*Note that YWS applies also to other circumstances. One that hops to mind is purchasing DRM protected content which needs to be authorized over the network and then having either network access or the authorizer fail/refuse to authorize.

tqk (profile) says:

Re: Nice people

like the way they include the IP address of his “full-time employer”, presumably in the hope of getting him fitted.

I thought you were just using British instead of English.

Head of law firm: “What do you do in your spare time?”

You: “I break into child monitoring software databases.”

Aaron Swartz was only freeing scientific papers.

Anonymous Coward says:

With a giant hole like that, My question is how many people accessed it before Vickery? If a company attacked me after informing them of an major problem in their security, I would counter with the fact that others may have had access to it without informing the company. You could pretty much paint a horror story and people would have to assume it was true without any access logs to prove otherwise. It was only after the company was notified of their error that it was fixed but all that data was exposed. “The Bad Guys” still could have the data up until the flaw was repaired and could easily track the habits of the children.

Anonymous Coward says:

When will these MORONS ever learn? Never EVER tell a company that they have a breach in their software or their security. Every time someone has informed a company of a serious security hole or glitch, almost always, that company has turned the tables and accused the person of hacking their systems.

If these morons “white hat” security researchers were smart, they would just post the information online and let these companies run around like chickens with their heads cut off and play damage control.

If I discovered a security hole, I would never inform the company of it. I would post it online, everywhere I could, and sit back and watch the company fall over themselves with the reality that they couldn’t blame me after I informed them of it.

How many times are these idiot security researchers going to learn that companies do not want you informing them of glitches in their software or their devices. They fix the holes and then blame you for “hacking” into their systems.

Rich Kulawiec (profile) says:

This is why "responsible disclosure" is a fairy tale

There’s really no such thing, because companies continue to (a) lie (b) deny (c) disparage (d) ignore (e) threaten (f) litigate (g) censor (h) prosecute.

Given this environment, the best course of action is to anonymously disclose security bug/breach information with no advance warning. That at least avoids (c), (e), (f), (g), and (h).

Oh, and avoid this company like the plague, because if they’ve made one mistake this enormous, they’ve probably made more. And the next person who finds one of them is extremely unlikely to be so kind and generous.

tommygilley (profile) says:

Unauthorized Access?

If a person finds a poorly configured system and uses their neglect to access a database felt secure, how can they claim unauthorized access? They were responsible for te choice of software and configuration. The responsibility lies solely with the owner of the database. He used the configuration the organization set up to access the data. Had he used an independent program to access the database through external software tools, that’s hacking as hell.

That Anonymous Coward (profile) says:

"private database"

a “private database” that we configured that ANYONE who looked online could access all of the details from.

Look over there at the very bad man who told us that we fucked up & violated all of our customers trust. Do not question how we might be using this data to make more money, burn the bad man who exposed we are incapable of protecting our most important data…

They can’t protect a database, and you pay them to protect your kids… perhaps you should focus on that.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »