AI toy maker Bondu left its web console almost completely unsecured, and researchers who accessed it found recordings of virtually every conversation children had with their stuffed animals.
AI toy maker Bondu left its web console almost completely unsecured, and researchers who accessed it found recordings of virtually every conversation children had with their stuffed animals.
In January, cybersecurity researcher Joseph Tucker was approached by his neighbor asking him to check the safety of an AI toy she had ordered for her children, writes Ars Technica.
These are plush dinosaurs from Bondu, which have an AI chat function that allows children to communicate with the toy as a kind of "imaginary friend."
After spending just a few minutes on the job, Joseph Tucker and his friend, web security researcher Joel Margolis, made a startling discovery: the Bondu web portal, designed to allow parents to monitor their children's conversations and company staff to monitor the operation of toys, also allowed anyone with a Gmail account to view transcripts of virtually every conversation that young users had ever had with the toy.
Without any hacking, just by logging in with a random Google account, two researchers instantly saw the children's private conversations. They were exposed to the affectionate nicknames the little ones gave their Bondu, the likes and dislikes of the little toy owners, their favorite treats and dance moves.
Overall, the researchers found that this data included the children's names, their dates of birth, the names of family members, the child's developmental "goals" chosen by the parents, and, most disturbingly, detailed reports and full transcripts of all previous conversations between the child and their Bondu. This toy was actually designed to encourage intimate face-to-face communication.
In conversations with researchers, Bondu confirmed that over 50,000 chat transcripts were available through an open web portal—essentially every conversation the toys had ever had, except for those that had been manually deleted by parents or staff.
According to Tucker and Margolis, when they alerted Bondu to the blatant data vulnerability, the company responded immediately and within minutes, took down the console. The portal was relaunched the next day with proper authentication measures in place.
Bondu CEO Fatin Anam Rafid said the security fixes “were completed within hours, followed by a broader security audit and additional preventative measures for all users.” He also added that the company “found no evidence of third-party access to data beyond the aforementioned researchers.”
