A “stalkerware” firm that openly markets itself as a way to track and monitor the online activities of a spouse or partner also has a glaring security hole that has exposed a significant portion of data to the web, according to a new report from Motherboard.
pcTattletale is essentially a keylogger. The company sells an app, compatible with Android phones and Windows PCs, that can monitor all of the activities on a target’s device—be it texts, emails, whatever. It claims this is a good way to “catch cheating husbands” and encourages customers to forcibly install the product on a significant other’s phone or computer—providing helpful tips on its website as to how to do that and not get caught.
With the cute, heartwarming slogan “Watch Them From Your Phone or Computer,” the company apparently doesn’t have any interest in coming off as subtle or unassuming. Instead, it goes full-bore in the opposite direction, letting you know its product is a perfectly good way to violate personal boundaries and mine the inner reaches of your boyfriend or girlfriend’s device, spy on your employees, or surveil your own child.
On top of all that, the company reportedly has a fairly bad security flaw that could allow a stealthy operator to access images captured from compromised devices.
Motherboard reports that the company uploads screenshots taken from infected phones to an AWS server. However, that server is not authentication protected, meaning that you don’t need a password or other security-related protocol to view the images stored within it. Instead, all you need is the URL of a specific screenshot—the likes of which are automatically generated for each individual image and are made up of the associated device ID, the date it was taken, and a timestamp. Motherboard breaks down the whole thing like this:
The URL for images that pcTattleTale captures is constructed with the device ID—a code given by pcTattleTale to the infected device that appears to be sequentially generated—the date, and a timestamp. Theoretically, an attacker may be able to churn through different URL combinations to discover images uploaded by other infected devices.
The flaw was discovered by a security researcher named Jo Coscia, who says they found the security flub while perusing a trial version of the company’s software. Motherboard similarly downloaded the program and independently verified the researcher’s findings. While the outlet notes that recreating individual timestamps for specific images would be tricky, an unscrupulous person with a lot of time on their hands and the right tools could, theoretically, manipulate this situation to search for other images besides their own.
When reached for comment, Bryan Fleming, of pcTattletale, claimed that the URLs were actually encrypted. His email partially reads: “The URLs are encrypted with keys to the account they belong to. You are not able to see other people’s URLs. So I think the whole story is taken out of context. Yes you can take you[r] own account and try to derive your other screen shots. That is possible.”
Stalkerware companies have often been criticized, both for their frequent security lapses and their basic premise—which critics say allows abusive individuals to monitor and control current and ex-partners. pcTattletale CEO, Bryan Fleming, has said that products like his are inordinately used by women, but a study published last February by NortonLifeLock claimed that men were more than twice as likely to use stalkerware on their partners or ex-partners. Further analysis has shown that the pandemic greatly increased the degree to which such programs were used against women.
Earlier this month, the Federal Trade Commission made a first-of-its-kind decision to ban a stalkerware firm, SpyFone, from the market—signaling a potential willingness on the part of federal authorities to crack down on such businesses.
This story has been updated with a comment from pcTattletale.