A stalkerware company that's designed to let customers spy on their spouses's, children's, or employees' devices is exposing victims' data, allowing anyone on the internet to see screenshots of phones simply by visiting a specific URL.
The news highlights the continuing lax security practices that many stalkerware companies use; not only do these companies sometimes market their tools specifically for illegal surveillance, but the targets are re-victimized by these breaches. In recent years the Federal Trade Commission (FTC) has acted against stalkerware companies for exposing victim data.
The stalkerware company, called pcTattleTale, offers the malware for Windows computers and Android phones.
"Discover their secret online lives right from your phone or computer," a Facebook post from pcTattleTale reads. "pcTattletale is a popular keylogger and montoring [sic] app that you can use to see what you [sic] kids, spouse, or employees are doing online."
Do you work for a stalkerware company? Do you know about any other data breaches of stalkerware companies? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email firstname.lastname@example.org.
Security researcher Jo Coscia showed Motherboard that pcTattleTale uploads victim data to an AWS server that requires no authentication to view specific images. Coscia said they found this by using a trial version of the stalkerware. Motherboard also downloaded a copy of the trial version of pcTattleTale and verified Coscia's findings.