The CEO of a firm that sells child monitoring services has hit out at the security researcher that informed his team of a major privacy breach resulting from a misconfigured database.
The firm, uKnowKids.com, runs a service allowing parents to see what their children are up to online.
On Monday, it emerged that Kromtech researcher Chris Vickery had contacted the firm to inform it that a misconfigured MongoDB installation had exposed sensitive data on around 1700 children.
This included full names, email addresses, GPS coordinates, dates of birth, social media account details and millions of private texts and images, according to CSO.
The database apparently also included proprietary algorithms and intellectual property belonging to the firm.
It appears that the database in question only exposed the details for 48 hours and uKnowKids patched the issue within 90 minutes.
However, in a lengthy response to the incident, CEO of the firm, Steve Woda, was highly critical of Vickery’s methods, claiming that its “private database was repeatedly breached by a hacker using two different IP addresses.”
“Mr. Vickery claims to work at a prominent law firm by day and exploit vulnerable technology systems at night,” he continued.
“We do not have any additional background information on Mr. Vickery, but we are doing our best to fully identify Mr. Vickery in order to validate his stated ‘benign’ intentions.”
Woda said he has requested Vickery delete all screenshot copies in his possession in order to protect the privacy of uKnowKids and comply with FTC COPPA regulations that “we do not knowingly allow any third parties access to child data without first having affirmative, verifiable permission from parents.”
Vickery claimed he has wiped the database and retained only a few screenshots redacted of any PII.
He told CSO that these “are being kept for purposes of credibility and to keep uKnowKids (minimally) honest in their claims."
The online tussle would seem to highlight once again the challenges facing security researchers, particularly when exposing shortcomings involving highly sensitive data.
Vickery is a researcher who has exposed several high-profile privacy snafus in the past.
Dodi Glenn, vice president of cybersecurity at AV firm PC Pitstop, argued that firms should treat the research community with more respect.
“They need to realize that these individuals aren’t trying to do anything malicious with their knowledge – they shouldn’t be threatened with lawsuits or the authorities being called on them,” he added. “If a good guy can discover a hole, so can the bad guys.”