"With just a few minutes of work, he and a web security researcher friend named Joel Margolis made a startling discovery: Bondu's web-based portal, intended to allow parents to check on their children's conversations and its own staff to monitor their product's use and performance, also let anyone with a Gmail account access transcripts of virtually every conversation Bondu's child users have ever had with the toy."
"In total, Margolis and Thacker discovered that the data Bondu left unprotected-accessible to anyone who logged in to the company's public-facing web console with their Google username-included children's names, birthdates, family member names, "objectives" for the child chosen by a parent, and most disturbingly, detailed summaries and transcripts of every previous chat between the child and their Bondu, a toy practically designed to elicit intimate one-on-one conversation."
Children's stuffed dinosaur toys called Bondus included an AI chat feature that let kids converse with a machine-learning-enabled companion. A security researcher, Joseph Thacker, and Joel Margolis found that Bondu's web-based portal allowed anyone with a Gmail account to access transcripts and user data. The exposed records contained children's names, birthdates, family member names, parent-selected objectives, pet names for the toy, likes and dislikes, and detailed chat summaries. More than 50,000 chat transcripts were accessible, representing essentially all conversations except those manually deleted. No hacking was required; access occurred via the company's public-facing web console.
Read at WIRED
Unable to calculate read time
Collection
[
|
...
]