NEWS FROM THE LAB - Tuesday, October 2, 2007

Leaky Spy Tools? Posted by Jarno @ 12:22 GMT

One of the difficulties with spy tool applications is that even if they are legitimately used – the application vendor still has the problem of properly handling confidential data.

Case in point: Mobile-Spy for Windows Mobile.

Until recently (the last 48 hours or so) they had an issue with their web interface. The issue potentially allowed access to any communication data collected by their software.

Now that they've resolved the issue, we'll explain…

By using their Demo account to log onto their system, you were only supposed to be able to access demo messages. The logon is found at the following URL:

Smart Demo

This URL is from one of the demo messages that you're supposed to be able to view. Notice that the message ID is plainly visible in the URL. So, what happened if you changed the ID number in the URL?

Demo URL

We used 34841 as an example:

Test URL

Last week the result of adjusting the URL was this:


And now the result is this:


So, Mobile Spy has corrected the potential problem. You can read more details from ZDNet.

D�j� vu?

This reminds us of something…

During July, Brian Krebs of Security Fix wrote about exactly the same issue but with another mobile phone spy application.

This seems to have been the other vendor's solution: ignore reporters asking questions, fix the problem, then speak with the reporters and deny any knowledge of the issue.

With this approach to security – we wonder just how secure the rest of such spy tool applications are.

Updated to Add: We've received some communication from our readers that while Mobile-Spy's web interface issue has been addressed, the site may still be vulnerable to an SQL injection attack. We have not confirmed this, but if true, this means that all of the customer information is still accessible to anyone using the Demo account.

We have notified Mobile-Spy.