Submitted via IRC for SoyCow4408
A company that markets cell phone spyware to parents and employers left the data of thousands of its customers—and the information of the people they were monitoring—unprotected online.
The data exposed included selfies, text messages, audio recordings, contacts, location, hashed passwords and logins, Facebook messages, among others, according to a security researcher who asked to remain anonymous for fear of legal repercussions.
Last week, the researcher found the data on an Amazon S3 bucket owned by Spyfone, one of many companies that sell software that is designed to intercept text messages, calls, emails, and track locations of a monitored device.
[...] The researcher said that the exposed data contained several terabytes of "unencrypted camera photos."
"There's at least 2,208 current 'customers' and hundreds or thousands of photos and audio in each folder," he told Motherboard in an online chat. "There is currently 3,666 tracked phones."
The company's backend services were also left wide open, not requiring a password to log into them, according to the researcher, who said he was able to create admin accounts and see customer data.
Spyfone also left one of it's APIs completely unprotected online, allowing anyone who guesses the URL to read what appears to be an up-to-date and constantly updating list of customers. The site shows first and last names, email and IP addresses. As of Thursday, there were more than 11,000 unique email addresses in the database, according to a Motherboard analysis.
(Score: 2) by SomeGuy on Friday August 24 2018, @10:25PM (4 children)
So anyone got a torrent link? :P
(Score: 2) by SomeGuy on Friday August 24 2018, @10:32PM (1 child)
Aw crap, now I notice the post above screws the context of my joke. The point is this data is certain to contain lots of stuff that could be used for blackmail, embarrassment, fraud, or such, and THIS TIME there is only the grace of the researcher that prevents this data from being downloadable in bulk to every last person on the planet.
(Score: 2) by takyon on Saturday August 25 2018, @12:21AM
I wonder what the breakdown is on whether white hats or black hats get to this stuff first. Because we've heard of plenty of security holes like this one that *potentially* left data accessible, but is apparently detected by a security researcher or the company first. Or at least, the stuff isn't just dumped online somewhere... yet.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by janrinok on Saturday August 25 2018, @06:39AM (1 child)
(Score: 2) by janrinok on Saturday August 25 2018, @06:40AM