pcTattleTale hasn’t been very careful about securing the screenshots it sneakily takes from its victims’ phones.
pcTattleTale markets itself as “employee and child monitoring software” that is undetectable by the device user, but it can also be used to spy on spouses and partners. It allows its clients to view real-time screenshots of phones of people they’re monitoring by visiting a certain URL.
The website proudly boasts:
pcTattletale is the only solution that makes “YouTube” like videos of their every tap or click. Just watch the recordings from your phone or computer using your secure pcTattletale account as they live their secret online lives.
Unfortunately, everyone else can view the images, too, if they know where to look.
According to Jo Coscia, the security researcher who discovered the issue while using a trial version of pcTattleTale, the company uploads the screenshots to an unsecured AWS bucket.
This means that anyone can view what’s inside the bucket as it doesn’t require any form of authentication—such as a user name and password.
Motherboard breaks down how anyone can access these screenshots:
The URL for images that pcTattleTale captures is constructed with the device ID—a code given by pcTattleTale to the infected device that appears to be sequentially generated—the date, and a timestamp. Theoretically, an attacker may be able to churn through different URL combinations to discover images uploaded by other infected devices.
This is, essentially, brute forcing the discovery of new devices and images linked to them. The lack of authentication makes it possible for a threat actor, or anyone who can write up a simple script really, to be able to get most if not all images from the AWS bucket.
In pcTattleTale’s promotional emails, Coscia notes, the company says it will delete users’ data after the trial period expires. However, screenshots that Coscia’s software took were still accessible after the trial period had ended.
Not only that, pcTattleTale clients who have already deleted their accounts, can still access the screenshots their app took of their victim’s phones, according to Android malware researcher Lukas Stefanko.
Bryan Fleming, owner of pcTattleTale, claims that it does delete data. In an interview with Motherboard, Fleming said: “Yes it does delete the data. I keep it there a little longer. A lot of people accidentally delete their devices and let the trial expire…Then of course they need the screen shots back.”
The stalkerware market is good. How about your relationship?
Companies that market stalkerware-type products and/or services unfortunately have track records of poor security practices. Take a look: the trainwreck is real.
pcTattleTale is one of those companies who explicitly and clearly tells potential users that, by using its software, they will be violating someone’s privacy, essentially putting the onus on users to operate at their own risk.
And, still, the market continues to thrive.
“The market’s good, you know,” Fleming says in the Motherboard piece.
Given that online stalking and stalkerware are largely accepted by Americans, we’d say that current attitudes about online stalking and stalkerware in general will remain unchanged. This is one reason why Malwarebytes continues to raise awareness about invasive monitoring apps, and (if you have kids under your care) promotes open and healthy communication between parties.