"Earlier this month, Joseph Thacker's neighbor mentioned to him that she'd preordered a couple of stuffed dinosaur toys for her children. She'd chosen the toys, called Bondus, because they offered an AI chat feature that lets children talk to the toy like a kind of machine-learning-enabled imaginary friend. But she knew Thacker, a security researcher, had done work on AI risks for kids, and she was curious about his thoughts."
"So Thacker looked into it. With just a few minutes of work, he and a web security researcher friend named Joel Margolis made a startling discovery: Bondu's web-based portal, intended to allow parents to check on their children's conversations and for Bondu's staff to monitor the products' use and performance, also let anyone with a Gmail account access transcripts of virtually every conversation Bondu's child users have ever had with the toy."
"In total, Margolis and Thacker discovered that the data Bondu left unprotected-accessible to anyone who logged in to the company's public-facing web console with their Google username-included children's names, birth dates, family member names, "objectives" for the child chosen by a parent, and most disturbingly, detailed summaries and transcripts of every previous chat between the child and their Bondu, a toy practically designed to elicit intimate one-on-one conversation."
A consumer planned to buy Bondus stuffed dinosaur toys that include an AI chat feature for children. Security researchers Joseph Thacker and Joel Margolis accessed Bondu's public web console using arbitrary Google accounts and found exposed user data. The exposed information included children's names, birth dates, family member names, parent-selected objectives, pet names, likes and dislikes, and full chat transcripts. Bondu confirmed that more than 50,000 chat transcripts were accessible through the portal. No hacking beyond logging in with a Gmail account was required. The exposure creates significant privacy risks because the toy elicits intimate one-on-one conversations with children.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]