A stalkerware company that’s designed to let customers spy on their spouses’s, children’s, or employees’ devices is exposing victims’ data, allowing anyone on the internet to see screenshots of phones simply by visiting a specific URL.
The news highlights the continuing lax security practices that many stalkerware companies use; not only do these companies sometimes market their tools specifically for illegal surveillance, but the targets are re-victimized by these breaches.
The stalkerware company, called pcTattleTale, offers the malware for Windows computers and Android phones.
Security researcher Jo Coscia showed Motherboard that pcTattleTale uploads victim data to an AWS server that requires no authentication to view specific images. Coscia said they found this by using a trial version of the stalkerware. Motherboard also downloaded a copy of the trial version of pcTattleTale and verified Coscia’s findings.
The URL for images that pcTattleTale captures is constructed with the device ID—a code given by pcTattleTale to the infected device that appears to be sequentially generated—the date, and a timestamp. Theoretically, an attacker may be able to churn through different URL combinations to discover images uploaded by other infected devices
Coscia said they used the free trial version of pcTattleTale when discovering the issue. In promotional emails, pcTattleTale said it would delete users’ data after the free trial expired. But Coscia found the screenshots were still accessible after their free trial period ended.
In one video online, Fleming said he built the code for pcTattleTale in 2003 over the better part of a year before launching it. Then he rewrote the code base when he bought out his business partner in 2012, he added. At one point Fleming complains about his server crashing because more and more people are using the service. Later on he says that pcTattleTale receives about 40,000 unique visitors a month.
“The market’s good, you know,” he said.
“To catch a cheating spouse using an android phone you will need to know their pass-code and have access to the phone for about 5 minutes. The best time to do this is when they are sleeping,” one guide on the company’s website reads. Another separate post from the company tells users how to trick their spouse into handing over their iCloud password.