Can Baby’s Days access your system and info?

In their Privacy Policy Baby’s Days/Sys IQ Ltd state,

Our staff do not have access to any user passwords and are, therefore, unable to access the organisation’s account or data without receiving an invitation from the Master Administrator.

I have had a few blog readers and Facebook members tell me that Baby’s Days have accessed their systems without the user providing them with a user name and password.  If this has happened to you please comment below, if you post using the name Anon, Baby’s Days will not know it was you.

I’m hoping that some of the techie blog readers can help with some questions around this issue?

  1. Baby’s Days record users IP addresses.  In theory could they access a users system without a username and password using the IP address?
  2. If you stopped using Baby’s Days and they kept a record of your IP could they in theory still access your computer even if you no longer run the programme?
  3. If someone could access you computer using the IP address alone, can they change data on your laptop or only view it?

Obviously I could never say categorically that Baby’s Days have accessed users systems with IP addresses only.  But it would be interesting to learn if this is possible.

Pop back tomorrow when I will be blogging about a how all systems are not built equally.

 

 

Have I found another flaw?

Before I start this post, I should clarify that I’m not a very technical person, I don’t know much about computers beyond basic functions such as web browsing and word processing.  I have a vague idea that programmes are written in code, but beyond that I know no more.  I know that you can look many things up on Google and that wikipedia is a great resource.

Given this complete lack of IT knowledge, it’s a little concerning that I may have found another security flaw on Baby’s Days; to clarify this flaw is on the Demo site and on current customers sites.  You can see if for yourself, it’s not straightforward but I’m happy to talk anyone through it if they would like to see it for themselves.

The flaw is an issue that most IT people would label, “unsecured data at rest”; this means that when the data has been sent to the server securely, it is then stored in an unsecure manner.  The data in question is parent comments.  The parent types the comment in on the photo (I’ve only tested this on diary photo comments), the comments are then sent to the server via encrypted transfer and then they are stored on the server logs in plain text – which sort of makes the encrypted transfer rather redundant in my opinion!

This means that anyone at the server end (ie. Data Centre employees and thirds party contractors and Baby’s Days employees) can read all the comments parents place on diary photographs.  Without getting too complicated, the programme absolutely does not need to be written in this way and Baby’s Days could easily make the storage of parent comments more secure.

Here is a screen shot to give you an idea, the screen shot is from a demo, but this will also happen on your own system.  As you can see I have underlined the parents comments and you can see they are stored in the URL log, which is then sent and stored on the server.  Click on the photo to make it bigger.

Given that Baby’s Days stated I was lying about the last security issue regarding photographs, then I expect this issue will also be swept under the carpet in the same way.  Like the last issue, I emailed Baby’s Days to inform them of the flaw 48 hours before I published my blog.

Ok, so some of you reading this might be thinking, “so what, does it really matter that people can read my parents comments?”

The answer to this will vary from person to person and ultimately I’m only writing about this due to Baby’s Days 100% secure claims, this is another post that suggests it’s not 100% secure.  The way this part of the system has been written appears at best bad practice and and worst unsafe.  Is this the result of using possibly incompetent freelancers?  I would have hoped that freelance developers would be competent at developing secure systems – or at least following some basic best practices which doesn’t seem to be the case here at all.

But at any rate, in my opinion that’s not really the question you should be asking. I think the more important question here is; “If a childminder with no knowledge of computer programming can find 2 security issues with the system, how many could someone with more experience find?”

 

Photos now are password protected :)

This blog has had over 3000 visitors in the last 2 days, because I made a post saying that individual photos are able to be viewed without any authentication by the person attempting to view them. Anyone with the right information, and time, would be able to determine and view anyone’s images on the system without ever needing to log in to babysdays.  Baby’s Days are denying this I believe and issued a statement in their Facebook Support Group which I will blog about tomorrow.

If you sill have no idea what the issue was about or you think I’m making it all up, if you follow this link, you will see a photo that I uploaded to a demo site, that you can view without having to log into the demo site itself.  I’m sure Mark Kahl is just going to say that the Demo site doesn’t have the same security features as you own sites, but this isn’t true.  Until literally just now all photos on your domain could be accessed with a direct URL they did not have a password on them.  Some wesbites even allow/(ed?) you navigate through the folder directory so you could view photos without needing a URL.

http://demo8441.babysdaysdemo.com/images/sted/gallery_image/diary_2/2015/02/thumb/2_1552_1424354330.jpg

You’ll be glad to know that this is now fixed, I’m not sure as of when, the last hour or so I think, but I just noticed it so in the interest of fairness I am updating the blog to reflect the update; probably the only one tha isn’t going to be publicised on the Facebook Like page I’m sure.

Thanks to this blog all your photos now need a user name and password to be viewed and are much more secure.  Yay!

Be aware. Parents can access other children’s photos.

Hi folks, I’m definitely on the mend and have most blog posts for the next week already drafted.  I was going to post tonight about the ICO and their final decision about Baby’s Days / Sys IQ acting illegally and beyond the scope of the Data Protection Act; but I decided to post something more important, especially if you are a current Baby’s Days user.

Last night I received a blog comment from a parent of a child who is on a Baby’s Days subscription owned by a nursery.  The parent is a web developer and wanted to write a script so that photos from the diary would automatically download to his home computer when he ran a programme.

The parent quickly found he was able to access not only his child’s photos but also all of the other children’s photos on the system and also photographs of parents signatures!

From my limited understanding of this, this is because of the way the code is set up.  If you look at the code (which most parents wouldn’t, but they are perfectly entitled to) it provides a “path” if you like, direct to data.  Each parents path should lead them only to their child.  But in this case Baby’s Days had decided to basically remove the “fence” around the paths so that parents could access any path and whatever photos they wanted.

I know most parents provide permission for all parents to see their childs photos so this might not be a big deal to some (!!!) but also you have to remember parents access Baby’s Days on their phones.  If that phone is lost anyone picking it up would have access to the over 100,000 images this nursery has saved.  Also I’m pretty confident parents wouldn’t feel comfortable with anyone being able to save and copy their electronic signature?  Also you have to ask if this could happen with photos could it happen with medical forms or concerns forms?  Would a child be placed in danger by a parent accidentally coming across a “concern” form for example?  These are very important questions that anyone using Baby’s Days really needs to be asking themselves.

The parent contacted Baby’s Days and they were their usually sunny selves and seemed rather blasé about it.  They even said they would put the “fence” back for now so the paths only led to parents children, but they would take the fence down at a later date when they needed to talk to the nursery again?!

I’ve been planning a post for a while now about data security and the fact that Baby’s Days is designed more around security by obscurity, not by design.  Sadly what this parent has discovered is just the tip of the iceberg and as soon as I have more info I will of course be posting it here.

In the meantime if you are still using Baby’s Days please back up your data and think about what sorts of data you are storing there and what it could mean for the children in your care if it fell into the wrong hands.

Do Baby’s Days customers have to pay Baby’s Days legal costs?

So from my last blog post, you can see that Sys IQ Ltd / Baby’s Days refused to process my subject access request and refused to return the data they hold about my son.  Obviously I’m taking this up with the ICO but I wanted to blog tonight about what this could potentially mean for Baby’s Days Customers.

The Information Commissioner has a statutory power to impose
a financial penalty on an organisation if they are satisfied that the
organisation has committed a serious breach of the DPA that is
likely to cause substantial damage or distress.

In theory, if the ICO were to impose a financial penalty on Baby’s Days / Sys IQ Ltd surely their customers wouldn’t have to fit the bill?  I know when I was their customer I never gave paying their legal bills a second thought.

When I started this blog my Facebook went crazy with lots of messages about, “did you know this…?” And one thing that kept coming up and has also been mentioned in the comments on the blog is that apparently within the T&Cs of Baby’s Days, their is a clause that says their customers pay Sys IQ Ltds legal bills.

EH?  WHAT?  Surely not?  Let’s have a look and see if we can reveal the truth behind this.

There is a part in the Terms and Conditions entitled “Indemnification”.  Indemnifications means, To compensate for loss or damage.  Here is what the whole section says….

Indemnification by You. You shall defend (or settle), indemnify and hold harmless Sys IQ Ltd, its officers, directors and employees, from and against any liabilities, losses, damages and expenses, including court costs and reasonable attorneys’ fees, arising out of or in connection with any third-party claim that: (i) a third party has suffered injury, damage or loss resulting from the use by You or by any Authorised User of the Subscription Service, or (ii) the Customer Data, or the use by You or by any Authorised User of the Subscription Service in violation of this Agreement, infringes or violates the Intellectual Property Rights or other proprietary rights of a third party. Your obligations under this section are contingent upon: (a) Sys IQ Ltd providing You with prompt written notice of such claim; (b) Sys IQ Ltd providing reasonable cooperation to You, at Your expense, in the defence and settlement of such claim; and (c) You having sole authority to defend or settle such claim.

It’s all a little bit gobbledy gook to me sadly, and I’m still ill so I’m not 100% sure what it’s saying but I think it’s saying the indemnification by customers only applies in some circumstances?  It’s unclear to me if a (possible) financial penalty from the ICO would fall into one of these categories that customers have to indemnify?  Maybe one the readers can clarify for me?  Data Centre Worker, we haven’t seen you in a while, any thoughts on this?  Anyone else?

For the Baby’s Days ‘water treaders’, ‘lovers’ and the ‘haters’ this does need clarifying really.  Is this sort of T&Cs typical with EYFS Software providers?  Maybe we might hear from them directly on this?!  Especially if it’s not true, I’d imagine they’d want people to know the truth.

In other news I’m feeling much better, I’m still not right but now I have antibiotics I’m on the mend, so expect a blog post on Monday again.  Have a great weekend!