Network News

X My Profile
View More Activity

Cell Phone Spying Service Leaking Data?

Last week, the geek news world was abuzz with news of a spying service that lets people intercept text messages, call logs, e-mails and other information from BlackBerry and Windows Mobile-equipped smart phones. But it appears the privacy threat is even bigger: According to evidence unearthed by at least one security researcher, the company that offers the intercept service has left its database freely viewable to anyone with a Web browser.

The service at issue, FlexiSPY, is touted as one that can help customers "catch cheating wives or cheating husbands, stop employee espionage, protect children, make automatic backups, bug meetings rooms [sic] etc." The company even offers a demo account that potential customers can use to check out a sampling of intercepted communications.

One security researcher found that by using this application, people are exposing the records of those they're spying on to the entire world. The trouble stems from the fact that each item in the database is assigned a specific numeric ID, which is contained in the URL. According to this advisory, penned by a researcher at AirScanner, a mobile and wireless security company, by simply modifying that address, the demo account allows full access to the database going back at least until the middle of last year.

I contacted Vervata LTD, the London-based company that owns FlexiSPY, but have yet to hear back. But AirScanner's advisory has been live since June 14, and the FlexiSPY phone records database still appears to be wide open. An update posted to that advisory on June 29 states: "According to an anonymous source who contacted us after this was posted on Bugtraq, the FlexiSPY web application was previously discovered by numerous people and has been exploited repeatedly."

Update, 10:56 a..m: I spoke by phone this morning with Atir Raihan, Vervata's managing director. Raihan said the company was not aware of any vulnerability in the company's database, and that when visitors type in custom URLs after logging into the FlexiSPY demo account, they are automatically kicked back to the login page. Security Fix tested his claim and found it to be true, although up until at least June 28, the hack detailed by AirScanner did indeed work as described.

By Brian Krebs  |  July 9, 2007; 9:55 AM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Scammers Play Robin Hood to Test Stolen Credit Cards
Next: Florida Counterfeit Credit Card Ring Busted

Comments

Looks like it's fixed now -- when trying to view another item's details when logged in with their demo account, you're automatically logged out.

Posted by: Jordan | July 9, 2007 11:04 AM | Report abuse

Ahem, does that really matter!? There is a service which can for a fee spy on my smartphoen transactions??? WTF!

Posted by: DBH | July 9, 2007 4:42 PM | Report abuse

i need mobile secret incoming and sms checking software

Posted by: Ananthamohan.R | July 11, 2007 3:12 AM | Report abuse

i need mobile secret incoming and sms checking software

Posted by: Ananthamohan.R | July 11, 2007 3:13 AM | Report abuse

Gee, commercial companies can do for money what reporters rake the government over the coals for trying to do to find crooks and terrorists. wonder if (or why not) the NSA/CIA/etc could pay them to use the program? probably cheaper than all that spying and baiting online.

Posted by: Robin | July 13, 2007 10:39 PM | Report abuse

Managed Hosting, Colocation and Data Center Services by victoryushchenkonashpresudent ...

Posted by: Robert | July 26, 2007 7:09 PM | Report abuse

Managed Hosting, Colocation and Data Center Services by victoryushchenkonashpresudent ...

Posted by: Robert | July 26, 2007 7:21 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company