Bondu AI Toy Data Exposed, Over 50,000 Chat Transcripts Vulnerable
Security researchers Joseph Thacker and Joel Margolis identified a data exposure vulnerability involving Bondu, a manufacturer of AI-chat enabled stuffed dinosaur toys. The company's web-based portal, intended for parental oversight and internal monitoring, allowed unauthorized access to sensitive user data.
The Discovery
Researchers discovered that by logging in with an arbitrary Google account, they could access transcripts of nearly all conversations children had with their Bondu toys. This access did not require any hacking.
Exposed Sensitive Data
The exposed data included children's names, birth dates, family member names, parental objectives for the child, and detailed summaries and transcripts of every chat between the child and their Bondu toy.
Bondu confirmed that over 50,000 chat transcripts were accessible through the portal, representing almost all conversations the toys had facilitated.
While Bondu did not store audio recordings of conversations, it maintained written transcripts to inform future interactions with the toys.
Bondu's Immediate Response
Upon being notified by Thacker and Margolis, Bondu took down the affected console. The portal was subsequently relaunched with appropriate authentication measures.
Bondu CEO Fateen Anam Rafid stated that security fixes were completed within hours and a broader security review was initiated. He added that the company found no evidence of unauthorized access beyond the involved researchers.
Commitment to Privacy
Bondu stated its commitment to user privacy, communicated with active users about security protocols, and plans to strengthen systems further by hiring a security firm for validation and monitoring.
Broader Privacy Concerns
The incident has raised concerns regarding the privacy implications of AI-enabled chat toys for children.