
Spyware Company Leaves ‘Terabytes’ of Selfies, Messages, Location Data Exposed - wglb
https://motherboard.vice.com/en_us/article/9kmj4v/spyware-company-spyfone-terabytes-data-exposed-online-leak
======
komali2
>Motherboard was able to verify that the researcher had access to Spyfone’s
monitored devices’ data by creating a trial account, installing the spyware on
a phone, and taking some pictures. Hours later, the researcher sent back one
of those pictures.

I love that they told us exactly how they verified it. Too often in the news
do we just get "was verified" or "an independent source verified," which, I
get that you gotta protect sources, but still doesn't give any insight into
their methodology. I could ask for example "how do you know you can trust your
independent source?" because I have no idea their history together.

Tech news like this is a bit easier to actually show your work for, but even
when that's the case so many security articles or people on Twitter don't show
the money like this. As much as everyone likes shitting on bitfi, for example,
it was quite a while before someone actually demonstrated a hack was done,
with reproducible methodology, rather than just blow smoke about how it's
insecure.

~~~
adtac
IMO, you don't trust the independent source, you trust the journalist.
Naturally, you'll only trust journalists who have proven to be right most of
the time.

------
teachrdan
> “Spyfone appears to be a magical combination of shady, irresponsible, and
> incompetent,” Eva Galperin, the director of cybersecurity at digital rights
> group Electronic Frontier Foundation, told Motherboard.

Leave it to EFF to have the pithiest quote in the article. Is it possible that
companies that are shady are more likely to be irresponsible in their security
practices, because they're focused on immediate profit?

~~~
Sharlin
Is it more likely that drug dealers that are shady are more likely to be
irresponsible in their safety practices because they’re focused on immediate
profit?

~~~
drewmol
More likely than (drug dealer who are not shady)? Most likely yes.

~~~
Sharlin
That was the point. "Shady" and "irresponsible" pretty much go hand in hand.

~~~
dummyfunnytoo
Not necessarily. I'd expect the leader of an organized crime group to be very
responsible but shady as hell.

------
EthanHeilman
>Steve McBroom, a Spyfone representative, told Motherboard on Monday that the
company is investigating the leak, and expressed relief that the person who
found it had good intentions.

Unlike spyfone whose intentions appeared to be profiting off of violating the
privacy of others. I wonder if they have done the market research to determine
if their core demo is domestic abusers.

~~~
8_hours_ago
SpyFone can only be used with consent of the device owner. From the Terms of
Use ([https://spyfone.com/terms-of-use/](https://spyfone.com/terms-of-use/)):

"You will only install the SpyFone software on devices for which you are the
owner, or on devices for which you have received consent from the owner of the
device."

Their service cannot be used by domestic abusers, obviously. ( _sarcasm_ )

~~~
gowld
Google Maps has a location sharing feature. It goes to great lengths to notify
the device owner through both on-device and off-device methods that the phone
is being monitored, and by whom. That's the only way to run a legitimate
monitoring system.

~~~
bigiain
I'm not sure - given their recent location-privacy related coverage - that
Google should be held up as "gold standard" here...

~~~
verall
Which is why it is a fantastic example. "Even Google" is extremely explicit
that location is being shared on the target device.

------
xupybd
Spyfone's response:

"Dear Valued Customers of SpyFone.com,

Within the last 10 days, one of our servers experienced a data breach and an
unauthorized third party gained access to the data of approximately 2,200
customer accounts. The potentially exposed personal information of those
affected could include pictures, call logs, and emails.

While our team is taking steps to enhance our site’s security and we have
since taken action to ensure that all accounts are fully encrypted, we are
notifying you that your account may have been one of those negatively impacted
by the unauthorized access. In an evolving landscape of online threats,
SpyFone.com is committed to the highest standards of accountability and
transparency, and proactively works to ensure the safety and security of our
users. We will continue to work to address this matter as we partner with
leading data security firms to assist in our investigation, and coordinate
with law enforcement authorities."

------
caymanjim
I'm not sure that this discovery will have any effect. While there are claims
that this software is marketed to businesses, I'm skeptical that it's anything
more than a drop in the bucket compared to use by shady individuals.

Non-business users (like nosy parents and controlling spouses) probably won't
ever know about this security breach.

I have no sympathy for anyone who uses software like this, I strongly feel
there is no justification for software like this that outweighs the invasion
of privacy and other harms, and I don't think this functionality should even
be possible at the phone OS level, nor should it be allowed for sale in
application stores.

The security failure itself isn't surprising in the least, though. Only bad
people write this kind of software. They've already limited their pool of
potential hires to people with no ethical or moral standards.

Also, look at the image in the article containing the description of SpyFone.
They can't even perform basic copy-editing. Poor grammar in commercial
products is a solid barometer for overall product quality.

~~~
gowld
Agreed. The app's intended design purpose was to leak private data. The data
breach happened as soon as the software was installed; the exposed S3 bucket
is irrelevant.

~~~
anfilt
Doesnot mean the people targeted by software fair any better with such data
leaked on the internet.

------
ChuckMcM
Wow, S3 is the gift that keeps on giving. My favorite quote from the article:
_“Spyfone appears to be a magical combination of shady, irresponsible, and
incompetent,”_

Amazing how people don't lock down S3 data.

~~~
lapnitnelav
Started playing around lately with AWS.

Gosh, getting the access rights to work properly between the various types of
controls in place, whether it's the groups, the access policy and whatnot is
kind of mind numbing and makes you feel very stupid.

Not that it excuses anything but it is confusing and I can foresee an
overworked engineer going "Ah fuck it, no time to read up on that, just go for
the easiest stuff to get started on using S3".

~~~
ChuckMcM
That is exactly the problem I see as well. Basically it is so hard to get it
working "correctly" (and by that we mean in a way that isn't trivially exposed
to the full frontal Internet), that engineers under pressure just punt after
getting it to work _at all_. Sort of "Ok, here it is working, we'll fix the
security concerns later, in the mean time try it out." and they get swept into
another project because this part is "working" and nobody comes back to to do
the hard work of figuring out the right way to make it work.

As a result 'war driving' through the S3 namespace continues to yield up PII,
and CUI nuggets of gold to bad actors.

------
Yhippa
> Steve McBroom, a Spyfone representative, told Motherboard on Monday that the
> company is investigating the leak, and expressed relief that the person who
> found it had good intentions.

>“Thank god it is a researcher, someone good trying to protect,” McBroom said
in a phone call.

Mr. McBroom needs to be worried about people with ill intentions who have
accessed this data in the past and they have no idea about.

Given this is a routine S3 bucket access breach I'd assume lots of bad people
have rainbow dictionary found this by now. You can assume people are basically
doing that for public buckets all the time now.

~~~
sorokod
"Thank god..." It is most reassuring when divine entity is invoked especially
in a data breach context. Especially when the intervention is of a
monotheistic kind.

------
automathematics
"Wait, hiring a security guy is how much? Fuck that... How much is a Senior
engineer to make our API? .... Shit. That would definitely cost me my third
corporate lease... How much to hire those kids that emailed us out of the
blue?

Yeah, I'm sure they'll do a fine job, just hire them.

------
scarface74
First the requirements for installing it on Android phones is a lot less....

 _Android Requirements:

You Need Physical Access To Device For Install

Supports Android Versions (4.1 - 8.1+)

iOS Requirements:

If 2 factor is on you need physical access to device

iCloud login access is required_

Then look at the features....

[https://spyfone.com/features/](https://spyfone.com/features/)

It says a lot about Android that anyone with physical access to an unlocked
phone can put this type of spyware on it.

Even if someone does leave their iPhone unlocked long enough for someone to
install the app, they still couldn't do it without authorization and even then
you have to know the targets iCloud credentials and have physical access to
the phone if it has 2FA.

~~~
jiggunjer
The way I see it, it is easier to get your hands on someones iCloud
credentials than on an unlocked physical device. So iphone without 2FA is less
secure than android. E.g. if I wanted to spy on my partner I'd prefer she had
an iphone.

~~~
scarface74
But you stil have to have physical access to the person phone to install the
app.

If they can do all they claim they can do on a non jail broken iOS device (and
they have a disclaimer that all features don't work on all version of iOS), I
would be amazed.

------
lqet
I find this level of incompetence hard to believe. Is it possible that the
company knowingly and intentionally left the collected data and their
customers list unprotected to secretly channel it somewhere else? It would at
least give them the opportunity to state incompetence if they should ever be
accused of selling their customers private data on the dark market.

~~~
monksy
It's completely easy to believe. People are releasing crap software under the
guise of MVP.

~~~
keithnz
I watched with fascination on Twitch the other day someone programming a point
of sale system, the dev was an older guy who said he'd been programming from
85 and was coding in C# (which is similar to me). First thing that struck me
was the file he was editing he had a connection string embedded in the code,
with what looked like the real plaintext credentials for the database. I then
watched with interest as each query he copy pasted the connection string and
other code for querying and then tried to create new queries by appending
strings together with variables. I tried to give him some constructive advice,
but he said "I'm in a bit of a rush, I just want to get this working". I
watched for another 30 minutes or so as he tried to get it working. It was
trivial what he wanted to do, he annouced how he hated SQL and has spent years
writing sql and huge massive queries. Yet his problem was easily solvable with
SQL. Looking at the code, it seems to have been done over quite some time and
was really really really bad and really insecure. But the "just need to get it
done any way possible" attitude means it will get deployed like that.

~~~
monksy
In a nutshell .. that's what the whole MVP thing is about. The minimal you
have to do so business can sell immediately.

------
zentiggr
Well, they may as well set up a website with subpages per spyed device, and
per device's collected content types, and just make it official that they are
publishing third party information to the whole f __*ing world.

Wow. And their customers are likely not going to know enough or care enough to
realize how much privacy they've lost.

~~~
gnode
> how much privacy they've lost

You mean that those who they've been spying on have lost?

------
aaroninsf
It's not a "breach" when there were no defenses.

------
zinssmeister
Incredibly difficult to even figure out who the company behind Spyfone is.
Anyone know?

------
jenscow
The most unfortunate side, is that the data isn't exactly that of their
customers.

------
lion121
„Every day our team takes great strides to enhance our site’s security and we
certainly anticipate that this recent data breach is the last,”

Yeah, granting public access to s3 buckets sounds like a great effort to
enhance data security

------
technion
Here's the irony: For the last few weeks, my Facebook feed has been plastered
with scare stories about certain apps being unsafe for kids. People posting
image macros about things like Roblox, getting 50+ responses about how scary
it is.

This situation, which imo is a real danger, will get 0 attention outside the
tech community.

I really wish I had an answer. Maybe I should make of this or something in
order to make people share it.

------
auslander
Spyfone Supported devices:

\- Android operating system must be Android 4.0 or higher.

\- iOS operating system must be iOS 7 to iOS 8.4 or iOS 9.0 to 9.1 (Oct 2015)

Just make sure your target is not using iPhone :)

[https://spyfone.com/compatibility-policy/](https://spyfone.com/compatibility-
policy/)

------
MichaelApproved
> _“Every day our team takes great strides to enhance our site’s security and
> we certainly anticipate that this recent data breach is the last,” McBroom
> said._

Holy shit. They left an Amazon S3 bucket wide open, their admin site was wide
open, and their API stream of contacts was wide open.

Their concept of secuity is non-existant and they think this will be the last
breach?

I doubt you'd hear any competent IT director ever say they won't experience
data breaches in the future.

The incompetency is mind boggling.

~~~
jakeywankenobi
Yeah. I mean, at what point does this level of neglect become criminal?

~~~
nostromo
I actually don't think it needs to be criminal. We just need civil laws that
make these kind of leaks incredibly costly.

Maybe liability for private information loss could be $10k a user. So, Equifax
would owe the public 1.4 trillion dollars. Of course, they wouldn't be able to
pay that, so the company would be chopped up into bits and sold for scrap.

I think _that_ would catch more attention than some mid-level manager fall guy
going to jail for six months, as would likely be the case with criminal
proceedings.

~~~
Tade0
_Maybe liability for private information loss could be $10k a user._

Or maybe up to 4% of the company's revenue.

~~~
amonavis
Up to 4% of the company's revenue doesn't solve much. Depending on the sector,
4% of revenue (are we talking EBITDA?) may potentially be less than a slap on
the wrist, and internally middle-management will take the blame for the
reduction in sales margin/operating profit.

~~~
lmkg
The above comment is almost certainly a reference to GDPR, for which the
maximum penalty for malicious non-compliance is "up to 4 % of the total
worldwide annual turnover." It is not net income or profit or EBIDTA or
anything else that subtracts operating cost, it is revenue.

------
jiggunjer
My gf was stalked by an ex using this type of crap. Had to wipe her phone and
change her cloud credentails. Still worry my personal photos are now floating
around on the web.

------
0xCMP
Well at least this company is trying to solve the problems! So many times this
ends up with the company attacking the researcher.

------
samstave
The copy on that "EULA" is in poor English.

Also, anyone who uses an app/service like this, and that service has the word
"spy" in their company/product name deserves to have their data and identity
compromised.

~~~
bmarkovic
Perhaps. But those that they spy on (spouses, children, employees..) don't.

~~~
MichaelApproved
Not even perhaps. Stop blaming the victims.

