An AI Toy Exposed 50K Logs of Its Chats With Kids To Anyone With a Gmail Account (wired.com)
- Reference: 0180692572
- News link: https://yro.slashdot.org/story/26/01/29/227207/an-ai-toy-exposed-50k-logs-of-its-chats-with-kids-to-anyone-with-a-gmail-account
- Source link: https://www.wired.com/story/an-ai-toy-exposed-50000-logs-of-its-chats-with-kids-to-anyone-with-a-gmail-account/
> Earlier this month, Joseph Thacker's neighbor mentioned to him that she'd preordered a couple of stuffed dinosaur toys for her children. She'd chosen the toys, called Bondus, because they offered an AI chat feature that lets children talk to the toy like a kind of machine-learning-enabled imaginary friend. But she knew Thacker, a security researcher, had done work on AI risks for kids, and she was curious about his thoughts.
>
> So Thacker looked into it. With just a few minutes of work, he and a web security researcher friend named Joel Margolis made a startling discovery: Bondu's web-based portal, intended to allow parents to check on their children's conversations and for Bondu's staff to monitor the products' use and performance, also [1]let anyone with a Gmail account access transcripts of virtually every conversation Bondu's child users have ever had with the toy.
>
> Without carrying out any actual hacking, simply by logging in with an arbitrary Google account, the two researchers immediately found themselves looking at children's private conversations, the pet names kids had given their Bondu, the likes and dislikes of the toys' toddler owners, their favorite snacks and dance moves. In total, Margolis and Thacker discovered that the data Bondu left unprotected -- accessible to anyone who logged in to the company's public-facing web console with their Google username -- included children's names, birth dates, family member names, "objectives" for the child chosen by a parent, and most disturbingly, detailed summaries and transcripts of every previous chat between the child and their Bondu, a toy practically designed to elicit intimate one-on-one conversation.
More than 50,000 chat transcripts were accessible through the exposed web portal. When the researchers alerted Bondu about the findings, the company acted to take down the console within minutes and relaunched it the next day with proper authentication measures.
"We take user privacy seriously and are committed to protecting user data," Bondu CEO Fateen Anam Rafid said in his statement. "We have communicated with all active users about our security protocols and continue to strengthen our systems with new protections," as well as hiring a security firm to validate its investigation and monitor its systems in the future.
[1] https://www.wired.com/story/an-ai-toy-exposed-50000-logs-of-its-chats-with-kids-to-anyone-with-a-gmail-account/
Testing. (Score:3)
This is what happens when you neglect to even do basic testing.
I worked in QA for a few years back in the 90s and it still boggles my mind how poorly things are left untested, even today.
Re: (Score:2)
so what's potassium?
Re: All Caps (Score:1)
Potassium is an element, not a letter, silly!
Re: (Score:2)
When my daughter was growing up, she always talked to her dolls, toys, and other things she played with. I'm just guessing here, but she seemed to know that they talked back.
Re: What kind of parent (Score:2)
The same kind that leave them with a smartphone from the crib, so when they get to school age they are barely able to talk.
Re: What kind of parent (Score:1)
Why talk when you emote with your facial features?
Hmm. What about the data (Score:5, Interesting)
So all this data - where does it go. tinfoil-hat-on No doubt being harvested into the AI machine singularity to learn how to talk to and manipulate children. Even emulate childrens conversations and speech patterns. This could be some of the most complete data about this. Having this kind of information stored and leaked like this is frightening. That's what they say about all these phones and smart speakers always listening. but for what - just to show you and advert?
Corporate BS (Score:5, Insightful)
"We take user privacy seriously and are committed to protecting user data
LOL, no you don't. Demonstrably so.
An Insane Idea (Score:2)
This might be an insane idea, but maybe companies storing private user data should get the security audit before they leak loads of user data!
Whoda thunk it? (Score:2)
A toy company doesn't know how to secure their web site. Nobody saw that coming.
What matters is who pays for the breach (Score:2)
I did security audits and the company that did the second best was a toy company. They did better than any banks, every governments agency we audited and all the defense contractors. The difference was that if this toy company got the security wrong they would lose large amounts of money. If a bank or the government f#$ks up security they don't bear the pain.
Re: (Score:3)
> I did security audits and the company that did the second best was a toy company. They did better than any banks, every governments agency we audited and all the defense contractors. The difference was that if this toy company got the security wrong they would lose large amounts of money. If a bank or the government f#$ks up security they don't bear the pain.
I did security consulting for 15 years, all sorts of industries. Banks are among the worst . It's not because they don't lose money, it's because banks view security entirely through a financial lens. It's always about "how much fraud will this mitigate, and does the security cost more than eating the fraud", plus they also use a lot of procedural mitigations -- plus of course they're always looking to see if there's some other party they can shift the fraud cost to, though that's less effective than you m
Re: (Score:2)
> "Not quite shitty enough to get hurt too bad".
Shut up and take my money!