FRESH

Hacker News

Taking over 60k spyware user accounts with SQL injection

236 points by mtlynch

by mtlynch

7 subcomments

by bspammer

5 subcomments

It's unexpected to me that someone with the technical knowhow to build spyware like this and a nice web interface for it, made basic mistakes like storing passwords in plaintext and piping unescaped user input into database queries.

by ryanrasti

2 subcomments

> Q: Can I monitor a phone without them knowing?
> A: Yes, you can monitor a phone without them knowing with mobile phone monitoring software. The app is invisible and undetectable on the phone. It works in a hidden and stealth mode.
How is that even possible on a modern Android? I'd think one of the explicit goals of the security model would be to prevent this.

by gpm

0 subcomment

The TechCrunch article says
> Google said it added new protections for Google Play Protect
But the screenshot of the device settings in the article shows that the app has you turn off Google Play Protect. So does this even do anything?
Meanwhile Google (via its firebase brand) is apparently continuing to act as a host for this app...

by JohnMakin

1 subcomments

some time ago I was having super weird phone issues (iphone) and narrowed it down to one of these services. I clearly had been 0 click vuln’d because I couldnt fathom how else it could have been infected, but had no idea who or why, still dont know. felt extremely gross and I have absolutely zero sympathy for any users or operators of these services and think this researcher was far too polite about it.

by blueplanet200

6 subcomments

From sqlmap
> Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program"
I don't know the legal footing these spyware apps stand on, but this blog post seems like exhibit A if Catwatchful ever decided to sue the author, or press criminal charges. Hacking, even for reasons that seem morally justified, is still illegal.

by zero_k

0 subcomment

Sometimes, I wish engineers running backend services were not hindered by management nonsense and would just nuke these systems when they are reported, sufficiently backed up with evidence (like here -- though I'd do a personal check first to verify). Seems like some did (congrats), others didn't (Firebase). I can assure you if I was on the other end, I would have escalated until I got fired or the service was down. Unimaginable that some let these run, wake up in the morning, look in the mirror and aren't ashamed of themselves.
People will continue doing their unethical behaviour not because we aren't on the streets fighting for the right thing, but because we just don't care enough, and let them continue.

by esaym

0 subcomment

> The live photo and microphone options are particularly creepy, successfully taking a photo or recording and uploading it for me to view near-instantly on the control panel without giving the phone user the slightest sign that anything is amiss
Oh dear.

by ceva

0 subcomment

Someone who is in malware business will 100% not sue you for what you did, i wouldn't worry about that at all. You did a good job!

by bluelightning2k

0 subcomment

isn't using software like this deeply illegal? or is that a legislative blind-spot? seems like this database should be sent to the FBI and someone can make a career out of prosecuting