Soon after an independent researcher exposed a vulnerability in the commercial-grade pcTattletale spyware tool that could compromise recordings, the tool’s website was hacked and defaced.
The hacker claimed to have accessed at least 17TB of victim screenshots and other sensitive data, viewing the site’s hacking as a personal challenge after a researcher’s limited disclosure to prevent exploitation of the flaw by bad actors. Amazon promptly placed an official lock on the site’s AWS infrastructure following the hacking incident.
The pcTattletale spyware’s flawed architecture and its discovery demonstrate the inherent vulnerabilities present in common spyware applications, potentially impacting not just individuals but entire organizations and families.
pcTattletale Spyware Vulnerabilities and Poor-Data Handling Practices
The pcTattletale spyware tool offered a live feed of screenshots from the victim’s device as its primary feature, alongside typical spyware functionalities like location tracking. However, this extensive monitoring feature backed on poor infrastructure and data-handling practices has also been its downfall, with data breaches exposing private data of targets.
First, a 2021 data breach incident demonstrated Individual Directory Override (IDOR) vulnerabilities in the spyware tool’s domain infrastructure, potentially allowing access to sensitive data through guessable Amazon S3 URLs.
Last week, researcher Eric Daigle uncovered an API bug that also potentially allowed access to sensitive data across registered devices. This vulnerability allowed unauthorized users to access private information in the form of comprehensive screen recordings.
A subsequent hack then exposed pcTattletale’s backend to the public, revealing an astonishing disregard for secure practices. The hacker discovered that the spyware shipped with hardcoded AWS credentials, accessible via a hidden webshell, potentially enabling years of undetected data exfiltration. This oversight, remarkable for its simplicity and duration, underscores a major failure in the handling of user data.
pcTattletale Spyware Latest Hack
The hacker defaced pcTattletale’s official site, replacing it with a writeup of the operation and links to compromised data obtained from the site’s AWS infrastructure. The vastness of the data stored by pcTattletale was found to be overwhelming, with the hacker reporting their discovery of over 17 terabytes of victim device screenshots from more than 10,000 devices, some dating back to 2018.
Although the released data dump did not include these screenshots, it reportedly contained database dumps, full webroot files for the stalkerware service, and other S3 bucket contents, exposing years of sensitive information.
The breach also uncovered a simple webshell hidden since at least December 2011 in the spyware’s backend code. This backdoor allowed for arbitrary PHP code execution through the use of cookies, raising questions about its origin—whether it was placed by pcTattletale itself as a backdoor or a threat actor.
The hacker later updated the defaced site to share a video, claiming it as footage of the pcTattletale’s founder attempts to restore the site.
It took over 20 hours for the defaced website to be taken down, with the pcTattletale’s service continuing to send screenshots to the S3 bucket until Amazon officially locked down the spyware service’s AWS account.
Following the official lockdown of the site’s AWS infrastucture, security researcher Eric Daigle, expanded his earlier limited disclosure with step-by-step exploit of the stated flaw. He noted that while the site’s attacker exploited an unrelated flaw, it was about as equally trivial in it’s complexity.
Victims Affected by pcTattletale Spyware Data Leak
The pcTattletale data leak is particularly alarming as several organizations employed the tool to monitor employees and clients, exposing confidential information across various sectors, such as banks, law firms, educational institutes, healthcare providers, and even government agencies. Notable instances of victims affected by the data breach as stated by security researcher maia crimew who explored the incident and shared data in a blog article, include:
- Hotels leaking guest information such as personal data and credit card details.
- Law firms exposing lawyer-client communications and client bank-routing information
- A bank revealing confidential client data
- Educational institutes such as schools and childcare centers monitoring employees or students, revealing personal data.
- Healthcare providers exposing patient information.
- Palestinian government agency employee monitored.
- The HR department of a Boeing supplier revealing personal information of employees .
- Tech companies secretly installing pcTattletale on employee devices suspected of wrongdoing, exposing internal systems and source code.
- A bug bounty hunter who installed the software for pentesting, then immediately tried to uninstall it.
Concerningly, the spyware was also offered as a way for parents and spouses to maintain tabs over their children and partners respectively, potentially exposing this information in the resulting breach.
Given the wide range of affected companies and the significant security lapses, security researcher maia crimew noted that pcTattletale could face severe repercussions, possibly leading to a cessation of its operations as the Federal Trade Commission (FTC) had previously ordered other US stalkerware developers to cease operations following breaches, with pcTattletale’s case poised for similar consequences.
The widespread misuse and systemic security failures of pcTattletale highlight the dangers inherent in stalkerware software and services, as well as the urgent need for stringent regulatory oversight and robust security measures over these tools to protect the data and privacy of individuals and organizations.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
