A “stalkerware” company that blatantly presents itself as a way to track and monitor the online activities of a spouse or partner also has a glaring security hole that has exposed a significant portion of this data on the web. , according to a new report from the motherboard.
pcTattletale is essentially a keylogger. The company sells an app, which is compatible with Android phones and Windows PCs, which can monitor all activity on a target’s device, be it SMS, email, etc. He claims it’s a good way to “catch unfaithful husbandsAnd encourages customers to force-install the product on a loved one’s phone or computer, provided useful tips on his website for how to do it and not get caught.
With the cute and heartwarming slogan “Watch them from your phone or computer,” the company apparently has no interest in sounding subtle or unpretentious. Instead, he goes all the way in the opposite direction, letting you know that his product is a great way to violate personal boundaries and exploit the confines of your boyfriend or girlfriend’s device, d spy on your employees or monitor your own child.
On top of all this, the company is said to have a pretty serious security hole that could allow a stealth operator to access images captured from compromised devices.
Motherboard reports that the company uploads screenshots taken from infected phones to an AWS server. However, this server is not protected by authentication, which means that you do not need a password or other security related protocol to view the images stored on it. Instead, all you need is the URL of a specific screenshot, the images of which are automatically generated for each individual image and are made up of the associated device ID, date. at which it was taken and a timestamp. Motherboard fails the the totality like that:
The URL for images captured by pcTattleTale is constructed with the device ID — a code given by pcTattleTale to the infected device that appears to be generated sequentially — the date and a timestamp. Theoretically, an attacker may be able to browse different combinations of URLs to discover images downloaded by other infected devices.
The flaw was discovered by a security researcher named Jo Coscia, who says he found the security flaw while browsing a trial version of the company’s software. Motherboard also downloaded the program and independently verified the researcher’s findings. While the outlet notes that it would be difficult to recreate individual timestamps for specific images, an unscrupulous person with plenty of free time and the right tools could, in theory, manipulate this situation to find images other than theirs. We have reached out to pcTattletale for comment and will update this story if they respond.
Stalker companies have often been criticized, both for their frequent Security failures and their basic principle, which critics say allows violent individuals to monitor and control current and former partners. PcTattletale CEO Bryan Fleming, said that products like hers are used excessively by women, corn a study published last February by NortonLifeLock claimed that men were more than twice as likely to use stalkerware on their partners or ex-partners. Further analysis showed that the pandemic significantly increased the degree of use of these programs against women.
Earlier this month, the Federal Trade Commission made a groundbreaking decision ban a stalkerware company, SpyFone, from the market, signaling a potential willingness on the part of federal authorities to crack down on these companies.