Flaw: Spyware for spouse broadcasts screenshots of devices in real time

Do you know that not all spyware is installed by governments or hackers? Indeed, there is spyware, or stalkerware, which targets a whole other clientele. This spyware is sometimes used by parents to monitor their children, employers to spy on their employees or by men or women who want to spy on their partner.

However, these software are highly criticized because of ethical issues but also for their lax security. Precisely, one of these software is subject to a security vulnerability: pcTattletale.

Screenshots of targeted devices posted unprotected on the web

This “pcTattletale” is stalkerware that can be installed on a Windows computer or on an Android device. However, cybersecurity expert Joseph Cox recently discovered a security flaw in this software. Indeed, this application regularly takes screenshots of the victim’s activity and saves them on an AWS server without any protection. Thus, these screenshots are found directly on the Web and accessible via a simple URL, without any identification being required.

To access these images, you must first know the exact address of each capture. However, if someone accesses a shared screenshot, then they could create a brute force attack script to find the other images from the spy device (the image url is formed from device identification and date). Therefore, it is possible to discover even the images from other devices.

For information, “pcTattletale” is sold on a website of the same name in which it is offered as a free one-week trial. However, the recorded images remain accessible after this trial period.