14 DAY TRIAL // Over the past week, security researcher Chris Vickery and child tracking platform uKnowKids had a public he-said, she-said spat, the company accusing the security researcher of "hacking" their systems.
Chris Vickery is known in security circles as the guy that randomly searches the Internet for unprotected MongoDB database servers. He's been doing this for the past few months and has uncovered massive data breaches in many companies, such as Microsoft, MacKeeper, Hello Kitty, OkHello, Slingo, iFit, Vixlet, and Hzone.
Continuing his usual work, Vickery stumbled upon an unprotected MongoDB server that belonged to uKnowKids. After accessing and downloading the database's data (on February 16 and 17) to verify its content, Vickery, as usual, contacted the company to let them know about their issue.
The he-said, she-said part
Instead of kisses and hugs, Vickery is saying that the company's CEO called him on his phone to make veiled threats for "hacking" their systems and for having unauthorized data on his computer.
uKnowKids then published a blog post on February 22, making it look like Vickery was ill-intended and was only masquerading as a security researcher.
Vickery fought back on MacKeeper's blog, accusing the company of being in violation of the Children's Online Privacy Protection Act (COPPA) by not having proper security measures in place to protect and prevent access to sensitive children information.
In spite of the fact that we’re in the year 2016, companies continue to respond in the worst and most inappropriate ways to security researchers, especially when being informed of security incidents.
After much of social media has skewered uKnowKids for their unprofessional response, the company followed through on February 25 with another blog post, thanking Mr. Vickery, and also revealing the results of an internal investigation.
What really happened
To blame for the whole data breach was a MongoDB database deployed on December 28, 2015, that went into a production environment on January 15, 2016.
As it appears, this database had improper access rights, exposing over 6.8 million private text messages, nearly 2 million images (many depicting children), and more than 1,700 child profiles that included data such as first and last names, email addresses, dates of birth, GPS coordinates, social media access credentials, and more.
Vickery discovered this database, downloaded it, verified the data, and informed uKnowKids. As it appears from uKnowKids' blog posts, the company seems to have over-reacted to the whole incident because the same database also contained business data, trade secrets, intellectual property, and algorithms used by the uKnowKids platform.
It appears that Vickery did not want to delete the uKnowKids data, fearing he might get sued for slander and wanted to keep it as evidence of the company's failure to secure its server. In the end, Vickery deleted the data but took screenshots as a precaution.
uKnowKids' CEO Steve Woda says that the exposed database was patched 90 minutes after Vickery's email, that nobody else except Vickery downloaded the data, and that nobody except Vickery and two verified sources accessed the database during the time it was left exposed online.
Either way, this is just another example of how companies fear lawsuits from angry parents more than they understand that security researchers don't mean them harm when reporting a vulnerability.
Below is what uKnowKids claims it was exposed via the insecure MongoDB database.
| Summary Data | Unique Child Profiles | |
| Parent Accounts | 1,186 | 1,352 |
| Parent Email Addresses | 243 | - |
| Child Email Addresses | - | - |
| Credit Card Payment Information | - | - |
| uKnowKids Passwords | - | - |
| Data Channel Passwords | - | - |
| Mobile Image URLs | 1,068,250 | 1,086 |
| Social Network Image URLs | 905,791 | 670 |
| Social Network Posts | 413,629 | 856 |
| Mobile Messages | 6,346,161 | 1,189 |
| Social Network Tags | 6,026 | 233 |
| Social Network Contacts | 47,766 | 273 |