Misconfigurations are a pain in the arse. They lead to more website compromises than inverted flux capacitors. But, in all seriousness it seems that the company uKnowKids had a an insecure MongoDB set up that was swinging in the breeze.
Along came Chris Vickery, he discovered the database, that had been dangling online for at least 7 weeks and let the company know.
From The Register:
A misconfigured database at uKnowKids.com exposed the data of 1,700 children, their personal messages, social media profiles, and images. More than 6.8 million private text messages, nearly 2 million images (many depicting children), and more than 1,700 detailed child profiles were left exposed, according to Vickery. This includes first and last names, email addresses, dates of birth, GPS coordinates, social media access credentials, and more.
The firm’s CEO took a swipe at Vickery and this is the part that drives me to distraction. Why do some companies think the best way to mend their security issues is to badmouth the person who pointed and said, “Hey, I can see your naughty bits”? Seems nonsensical doesn’t it?
I get it that they were butthurt but, to take a swing at the person who alerted them simply invites others to come poking around.
Use your noodle and work with people who point out security issues rather than shun them, lest the law of unintended consequences make a nest in your gullet.
(Image used under CC from dinnercakes)