Professional Documents
Culture Documents
TicTocTrack Statement April 16
TicTocTrack Statement April 16
16 April 2019
Official Statement
Karen Cantwell, Founder & CEO of iStaySafe Pty Ltd
Following our statement issued on 15 April 2019, I would like to provide an update on the
steps that we have implemented over the last 24 hours:
1. Our software development team is currently reviewing the findings of Mr Ken Munro
and Mr. Troy Hunt which have been published in recent days. This detailed review
commenced upon the restriction of user access to the TicTocTrack application, and
we anticipate this review to be completed by no later than the close of business 17
April 2019. A separate statement will be issued shortly after the completion of this
review, which will also respond in detail to the statements made by Mr. Troy Hunt
and Mr. Ken Munro.
2. We have engaged with an accredited penetration testing service in Australia, who
will be conducting a full audit of our software platform. Consistent with our
commitment of ongoing and continuous disclosure, we will be providing a summary
of this report upon completion.
We appreciate the information provided by Mr. Munro on the evening of 15 April 2019,
which further assisted the completion of item 1 detailed above, and which is included below
in the interests of transparency:
From: Ken Munro
Date: Monday, 15 April 2019 at 5:42 pm
To: Karen Cantwell
Subject: RE: Reporting a security flaw
Hi Karen
First, thanks for taking such swift action. That’s is markedly more proactive than many of the other
smart tracker watch firms we’ve found security issues with.
I have attached a full technical write up of the various vulnerabilities. This will make sense to your
developers, however in essence:
The back end service that interacts with the mobile app doesn’t correctly check that the person
making the request is the person authorised to do so.
Whilst the system has user accounts and requires users to log in, it doesn’t check that the person
logged in is the correct person to access that child’s data
Whilst I don’t know the technical detail of your systems and backend, my suspicion is that the mobile
app developers haven’t developed the app and backend securely enough. I could be completely
wrong there though. There may be components in common with the Caref/Gator API, but I can’t be
certain.
Regards
Ken
Ken Munro
Finally, we say to our customers and members of the public that any and all security issues
are being addressed and will be fixed as soon as possible.
We will be releasing a full and transparent report of all changes that we have made to the
software, based on the findings of the iStaySafe commissioned penetration test.
Kind regards,