A consumer-grade spyware app found in check-in systems of 3 US hotels
May 23, 2024
A researcher discovered a consumer-grade spyware app on the check-in systems of at least three Wyndham hotels across the US.
The security researcher Eric Daigle discovered a commercial spyware app, called pcTattletale, on the check-in systems of at least three Wyndham hotels across the US, TechCrunch first reported. Parents often use the app to monitor their children’s online activities or by employers to keep track of employee productivity and internet usage.
Daigle discovered the commercial surveillance software on the hotel check-in systems while investigating consumer-grade spyware (aka stalkerware).
pcTattletale is a software program designed for monitoring and recording the activities of computer users.
The software was used by someone to capture screenshots of the hotel booking systems, including guest details. Daigle also discovered a vulnerability in the monitoring software that allows anyone to access the screenshots taken by the app.
“PCTattletale is a simple stalkerware app. Rather than the sophisticated monitoring of many similarly insecure competitors it simply asks for permission to record the targeted device (Android and Windows are supported) on infection. Afterward the observer can log in to an online portal and activate recording, at which point a screen capture is taken on the device and played on the target’s browser.” wrote Daigle in a post. “I recently discovered a serious vulnerability in PCTattletale’s API allowing any attacker to obtain the most recent screen capture recorded from any device on which PCTattletale is installed. It is distinct from the IDOR previously discovered by Jo Coscia, and makes it trivial to actually obtain captures from other devices.”
Daigle attempted to report the flaw to pcTattletale, but the company has not responded. He shared limited details about the screenshot bug in a blog post, intentionally omitting specifics to prevent malicious exploitation.
“The screenshots from two Wyndham hotels, seen by TechCrunch, show the names and reservation details of guests on a web portal provided by travel tech giant Sabre. The screenshots of the web portals also display guests’ partial payment card numbers.” reported TechCrunch. “Another screenshot showed access to a third Wyndham hotel’s check-in system, which at the time was logged into Booking.com’s administration portal used to manage a guest’s reservation.”
It’s unclear who installed the malware on the hotel systems and what is his motivation.
Pierluigi Paganini
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, consumer-grade spyware app)