API requests not authenticated by mobile device monitoring services
Consumer spyware is often sold under the guise of child or family surveillance software, but is also known as stalkerware because of its ability to track and monitor.
The website TechCrunch uncovered a security problem with this type of software, which compromises the phone data, messages and locations of hundreds of thousands of devices, collecting personalised information and sending it to a server infrastructure, controlled by an operator, as the Vietnam-based website states.
Specifically, the backend infrastructure shared by multiple mobile device monitoring services does not properly authenticate and authorise API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability.
References:
- 22/02/2022 techcrunch.com Behind the stalkerware network spilling the private phone data of hundreds of thousands
- 22/02/2022 cert.org Mobile device monitoring services do not authenticate API requests
- 22/02/2022 yahoo.com Behind the stalkerware network spilling the private phone data of hundreds of thousands
- 23/02/2022 adexchanger.com Proving The Telco Ad Hypothesis; Can Facebook Simply Make Reels Happen?