Hacker defaces spyware app’s site, dumps database and source code

​​A hacker has defaced the website of the pcTattletale spyware application, found on the booking systems of several Wyndham hotels in the United States, and leaked over a dozen archives containing database and source code data.

As Vice reported three years ago, this stalkerware app was also found leaking real-time screenshots from Android phones.

Described by its developers as an "employee and child monitoring software," pcTattletale is a consumer-grade spyware solution that was leaking guest details and customer information captured from the hotels' check-in systems because of an API security vulnerability, according to TechCrunch.

Security researcher Eric Daigle found the spyware in the hotel's systems and published a blog post explaining that the pcTattletale flaw he discovered can be used to access screenshots the malware makes on other devices.

"I recently discovered a serious vulnerability in PCTattletale's API allowing any attacker to obtain the most recent screen capture recorded from any device on which PCTattletale is installed. It is distinct from the IDOR previously discovered by Jo Coscia, and makes it trivial to actually obtain captures from other devices," Daigle said.

"Unfortunately, PCTattletale have ignored Zack and I's attempts at contacting them to fix the issue, so I can't give any more details here to avoid encouraging abuse of the vulnerability. Hopefully the stalkerware author(s) can be bothered to fix the issue soon, at which point I can give a full writeup."

In a YouTube video from seven years ago, pcTattletale's developer Bryan Fleming describes it as "Spy Software" while introducing its first Android test version.

"Download a free trial and put it on your Windows Home PC and watch how it works. It's pretty amazing how it does a recording of keystrokes and you can see anything your kids are doing on the computer or your employees," Fleming says in the video.

While he describes it as spy software, Microsoft tracks pcTattletale as a threat and says it "watches what you do on your PC, usually by recording your keystrokes or screen images" and it "tries to steal your sensitive and confidential information."

Daigle's attempts to contact the developers to fix the security flaw failed, and the vulnerability still allows access to sensitive information belonging to users stalked using the pcTattletale spyware.

While the security researcher only shared a limited amount of info regarding this severe flaw, someone took it as a challenge, defacing the spyware's website and leaking 20 archives containing source code and data dumped from pcTattletale's databases.

However, as the hacker says on the now-defaced website, he didn't exploit the vulnerability Daigle found. Instead, he claims he used a Python exploit to extract pcTattletale's AWS credentials via its SOAP-based API, which provided access to the spyware's source code and databases.

BleepingComputer reached out to Fleming with further questions, but a response was not immediately available.

Update 5/25/24: Since our last reporting, the person who breached the site shared a video of what they claim is the website owner trying to restore the site via FTP. Ironically, this video was allegedly taken through the pcTattleTale software, which was installed on the owner's own device.

The pcTattletale website has now been taken offline, and the Have I Been Pwned data breach notification service has added the information for those exposed to this breach.

According to HIBP's Troy Hunt, approximately 100GB of data was leaked, which contained the device info, MD5 hashed passwords, and SMS texts for 139,000 unique email addresses. Of these emails, approximately 58% were already in the data breach notification service.

Hunt told BleepingComputer that his service will notify over 1,000 people who subscribe to his service about the breach.