The parental-monitoring service uKnowKids accidentally exposed the names, addresses and birth dates of up to 1,740 children on the open Internet, and might still be doing so if a security researcher hadn't stumbled across the data. The exposed data also included 6.8 million text messages, 1.8 million images, and GPS coordinates that had been associated with uKnowKids accounts.
The unsecured data was discovered last week by Chris Vickery (opens in new tab), a IT staffer in Austin, Texas who moonlights as a security researcher for Mac-security-software maker MacKeeper. Yesterday (Feb. 22), uKnowKids CEO Steven Woda took to the UKnowKids blog to say the holes had been patched, but described Vickery as a "hacker" who "breached" the company's database, even as he acknowledged Vickery had discreetly brought the issue to the company's attention.
Vickery told Tom's Guide that he didn't need to hack into anything, and that he had stumbled upon uKnowKids' "unprotected" database using the Shodan search engine, which is designed to find all kinds of Internet-connected devices.
"I am not a hacker, and have never claimed to be any sort of hacker," Vickery told us. "When something is configured for public access, and is allowed to be indexed on a public search engine, there should be no surprise that someone in the public discovers it."
Not only did the exposed database contain the logs of user conversations and photos, Vickery said, but the full names, addresses and dates of birth of children were also exposed. Such information would be very valuable to identity thieves, as duplicate identities are often discovered only when a person enters the workforce.
"The database itself was not encrypted at all," Vickery said. "Some of the password fields appear to have been MD5 hashed."
The MD5 encryption algorithm is known to be weak, and Vickery told us that the "hashed" passwords did not appear to be "salted" with random data that would stop password crackers. Free online services such as CrackStation and HashKiller will quickly "crack" all but the strongest MD5-hashed passwords.
In the company blog post, Woda accused Vickery of stealing uKnowKids' intellectual property and said the company had alerted "the necessary legal authorities." Woda strongly implied that Vickery violated the Children's Online Privacy Protection Act (COPPA) of 1998, which mandates strong protection of personal information pertaining to children, by accessing the information that uKnowKids had posted online without any protection.
"uKnowKids has issued many misleading statements and half truths," Vickery told Tom's Guide. Asked for further comment, he said, "I plan to consult with an attorney before expanding upon that response." If you or a loved one have used uKnowKids' services, we recommend that you change your account password immediately, and also make sure you're not using the old password anywhere else.
For $10 per month, $100 per year or $180 forever, uKnowKids will monitor your kids' Facebook, Instagram, Twitter and other social-networking accounts, as well as the kids' Android devices. Monitoring Apple mobile devices merits an extra $60 one-time payment.