Hacked stalking app reveals victims’ photos, texts and location info | Cyber Security

Another mobile stalking app has been hacked, endangering both its customers and the victims that they spy on. According to Motherboard, an anonymous hacker gained access to servers at TheTruthSpy, a company that advertises software for jealous partners to track each other.

TheTruthSpy sells an iOS and Android app that enables someone to spy on someone else’s phone. The software is not available on official app stores and has to be installed on a jailbroken iPhone or via an alternative source on an Android phone. It should be installed onto “the phone they own and have proper consent to monitor,” according to the company’s website, which also advertises it for catching cheating spouses and has a section titled “how to hack a cell phone”. Hmm.

The site’s painfully-worded blurb reads thus:

If you are not able to make sure that whether your spouse is cheating on you or not, you can use a spying application to remove your doubts. Taking the help of spy apps, you can collect evidence against your spouse.

The software lets people track the location of a victim’s phone, view their call logs (including deleted ones) and record calls, monitor instant messages, SMS texts and browsing histories, and even eavesdrop on the victim wherever they are.

Exposing the keys to the kingdom

The hacker, who contacted Motherboard using the initials LM, reverse engineered the Android app and found a vulnerability that they used to access the company’s media server. There, they were able to access a list of unique customer IDs along with audio files.

They used the IDs as parameters in web queries, which returned the customers’ usernames and passwords in plaintext. A quick script enabled them to slurp 10,000 login credentials. This gave them access to pictures, audio recordings, location information and text messages from the spying victims’ phones. That’s a stalker’s dream, and puts thousands of people at risk.