A security researcher discovered an exposed Bondu AI toy admin panel that allowed anyone with a Google account to access tens of thousands of childrenβs conversation transcripts and detailed personal data. The team also found an IDOR vulnerability and authentication bypass; Bondu promptly took down the console and launched an investigation and bug bounty. #Bondu #GPT5
Keypoints
- Researchers Joseph Thacker and Joel Margolis found an exposed admin panel for the Bondu AI toy.
- The panel exposed tens of thousands of childrenβs conversation transcripts and detailed family and device information.
- An authentication bypass and an IDOR in the API let attackers access profiles using any Google account or guessed IDs.
- Bondu removed the console within ten minutes, audited logs, found no unauthorized access, and launched a bug bounty.
- The incident highlights parental privacy and safety risks when LLMs like GPT-5 and Google Gemini receive child profile data as context.
Read More: https://thecyberexpress.com/security-researcher-finds-ai-toy-admin-panel/