In the distant era before mobile phones were everywhere, spying on the Internet use of your fellow household members was relatively straightforward, because their access to the Internet stayed in one place. But with cell phones, you can take the Internet with you everywhere, and store it in your pocket, so what's a nosy privacy violator to do?
It turns out that there's a whole cottage industry of mobile spyware apps designed to close the gap -- and their reputations for data security are sketchy at best. In fact, it almost looks like these apps are an exercise in hoovering up as much private information as possible, for the purpose of surfing through it for entertainment purposes.
Just a few weeks ago, we reported on SpyHuman, a spyware vendor whose subpar site security exposed hundreds of millions of pieces of data. And today, cybersecurity veteran Brian Krebs reported on his blog that another such company, mSpy, is leaking data too, for the second time in three years. And this time, it's on another level.
One of the most important aspects of user data privacy is compartmentalization. This makes sure that that the employees of the company that's securing your data only have access to the user information that they need to do their jobs. Companies can get in big trouble when anyone from an intern to Bob in accounting can readily access a database containing sensitive customer data.
The lapses in these areas are one reason why end-to-end encryption is shooting up in popularity, and why apps like Signal default to not allowing you to take screenshots.
Now, imagine if you could access a large chunk of mSpy's database without even needing a username or password. No checks to make sure that you're an employee or a customer. You don't have to be an expert hacker, either. You just need to have the right URL.
Krebs reports that he received just such a URL last week, from fellow cybersecurity watchdog Nitish Shah, and he was able to access "millions of records." Such as: usernames, passwords, and encryption keys for mSpy's customers; a six-month record of every mSpy purchase; iCloud logins and authentication tokens; WhatsApp and Facebook messages; and email addresses and street addresses.
FOLLOW Download.com on Twitter for all the latest app news.
Furthermore, Shah reports that he was ignored and rebuffed when he contacted mSpy about this latest flood of publicly viewable spyware data.
Thankfully, the database was taken down after repeated inquiries, but the damage was done. And given mSpy's sketchy past, this probably isn't the last time we'll be hearing about them in the news.
Krebs goes on to detail several years of naughty behavior at mSpy headquarters -- wherever it may be. Its office location is actually a bit of a mystery as well. Documents variously point to Jacksonville, Florida, Mountain View, California, and even the Seychelles. Krebs also reminds us that these sorts of apps are literally illegal in the United States, which is why you won't find mSpy on the Google Play Store or iOS Apps Store.
And judging by this latest news, you shouldn't go looking for it, either.
- The Spyware vendor mSpy recently employed very poor security to protect its customer data, exposing millions of user accounts to anyone who had access to a specific URL.
- mSpy was not making any attempt to verify that the user of the URL was authorized to access the database; no password or user name was necessary to obtain these records, which include text messages, home addresses, and payment information.
- SpyHuman spyware monitoring app for Android exposes private customer data via their website
- Amnesty International targeted by politically motivated spyware via WhatsApp text messages
- Security expert shows how Venmo's surprisingly public user data can be mined for your private info
- How Chromebooks became the go-to laptops for security experts (CNET)
- The ultimate guide to finding and killing spyware and stalkerware on your smartphone (ZDNet)
- Simple but extremely effective: Inside the world's most prolific mobile banking malware (TechRepublic)