A stalkerware company with poor security practices is exposing victims’ data as the software, designed for unauthorized device monitoring, leaked victims’ phone screenshots through a publicly accessible URL.
The incident highlights the dangers of stalkerware, which not only facilitates illegal surveillance but also puts victims at risk of further compromise through data breaches.
The FTC has previously taken action against stalkerware companies for similar security lapses.
Stalkerware pcTattleTale for Windows and Android uploads victim data, including screenshots, to a vulnerable AWS server.
Security researcher Jo Coscia discovered the issue by analyzing the trial version.
The image URLs are constructed predictably using a device ID, date, and timestamp, which allows attackers to potentially write scripts to churn through URLs and access other victims’ data, including all captured screenshots from a specific device, or even discover entirely new compromised devices.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
A security researcher discovered a vulnerability in pcTattleTale, a monitoring software.
The vulnerability allowed unauthorized access to the victim’s screenshots because the software failed to implement authentication for those images.
Even though the free trial promised data deletion upon expiration, the researcher found the screenshots remained accessible after the trial period ended, highlighting a potential security risk for users who might have relied on the software’s data deletion claim.
Bryan Fleming, the creator of pcTattleTale, built the initial codebase in 2003 and rewrote it entirely in 2012 after acquiring full ownership.
The software stores user data for a while after deletion to allow for recovery if users accidentally delete their devices or their trial expires.
According to the Vice, the system has experienced server crashes due to its increasing user base and currently receives around 40,000 unique visitors per month.
pcTattleTale is a spyware application designed to be installed stealthily on a target phone, which can be either an Android or an iPhone.
To install the app on an Android phone, the attacker needs physical access for around 5 minutes and the target’s passcode.
For an iPhone, the attacker must trick the target into revealing their iCloud password.
Once installed, pcTattleTale hides itself from the home screen and disables notifications to prevent the user from discovering it.
The software also advises users to disable antivirus software to avoid interference.
Norton 360 and Sophos antivirus programs alert users to the potential stalkerware use of pcTattletale.
The software records user activity on workstations, which is a red flag for antivirus software designed to protect privacy.
The FTC has not commented on whether they are investigating pcTattletale, but a recent enforcement action against another stalkerware company suggests they may take similar action against pcTattletale.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers