[ad_1]
This story is part of When spies return home, a series of motherboards on the powerful surveillance software that ordinary people use to spy on their loved ones.
A company that sells consumer software that allows customers to spy on calls, messages and everything they do on their mobile phones has left more than 95,000 images and more than 25,000 audio recordings on an accessible database to all on the Internet. . The exposed server contains two folders containing everything from intimate images to phone call records, since the application is sold primarily to parents.
Troy Hunt, a researcher who manages the database on violations I've already been interviewed ?, analyzed the database and reported that it contained about 16 gigabytes of images and about 3, 7 gigabytes of MP3 recordings. The motherboard has confirmed its analysis. (It's hard to say how many unique images and recordings, however, some images seem to have been downloaded multiple times.)
This flaw is just the latest in a seemingly endless series of extremely sensitive exposures or data leaks collected by companies that promise to provide parents with services to protect children, monitor employees or spying on spouses. Over the last two years, 12 stalkerware companies have been victims of violation or have left exposed data online: Retina-X (Twice), FlexiSpy, Mobistealth, Spy Master, SpyHuman, Spyfone, TheTruthSpy, Family Orbit, mSpy , Copy9. and Xnore.
We can not tell you the name of the company that is the last – but certainly not the last – to join this list. This is because, despite our repeated efforts to alert society to the leak, it has not yet solved the problem nor acknowledged receipt of our request for comment. Because the disclosed data violates the privacy of hundreds or even thousands of people, and because these data are always very easy to find and consult, simply publicizing the company could lead to bad actors.
Do you have a tip? You can contact this reporter securely on Signal at +1 917 257 1382, on the OTR chat at [email protected] or by email at [email protected].
Cian Heasley, a security researcher, found the database exposed and contacted us when he found it earlier this year. The database has been online for at least six weeks. Images and audio recordings are still uploaded almost daily. We will not name the company to protect victims who might be spied on without their consent or without their knowledge, and what's more, their photos and calls are uploaded to a server open to anyone with an internet connection.
We spent weeks trying to ethically disclose this vulnerability to the company and secure private images. We contacted the company's official email address posted on its site. No answer. We contacted the Gmail address of the site administrator, who also appears to be the founder of the company. No answer. We left a voice message on a Google Voice number listed in the site's WHOIS information. No answer.
We contacted GoDaddy, the domain registrar of the company's main site, as well as the leaked database, which is on the same domain. Company employees told us that they could not do much.
The United States Federal Trade Commission has not responded to a request for comment.
The company hosting the current content, a hosting provider called Codero, did not respond to several e-mail requests for help.
Read more: Do not use software to spy on your spouse
So, starting today, a few weeks after Heasley found the database and the motherboard tried to warn the company, images and audio recordings are still available, in plain sight and listening to everyone.
The motherboard has not been able to reach the victims or customers because the exposed server does not contain any contact information, such as email addresses or phone numbers of victims or users. In any case, the downloaded data is always very sensitive, even identifiable and, in some cases, consists of naked and otherwise intimate images.
The spy application that broadcasts this data allows its customers to monitor just about anything that is installed on the mobile phone. Spyware allows the operator to read phone contacts, text messages, listening to calls, recording ambient sound by activating the microphone, and more.
Heasley, who analyzes the security of several stalkerware applications, said that the URL of the database was exposed in the application's source code. The URL is also relatively easy to guess.
"It's the level of security these people work with," said Heasley, who is studying computer security and forensics at Napier University in Edinburgh, Scotland, during an online chat. "It would be funnier if it was not by tracking down the victim's data."
"People should not use these tools in the first place," Eva Galperin, who has researched stalkerware and is the director of cybersecurity at the Electronic Frontier Foundation, told Motherboard. "But the fact that these companies are not very good at securing their own data is just a sign of the bad idea" sundae ".
Additional report by Joseph Cox.
Listen to CYBER, The new weekly podcast of the motherboard on hacking and cybersecurity.
[ad_2]
Source link