As you might imagine, Spyfone is a company that offers to spy on other peoples' phones for you: its major market is parents and bosses who infect and surveil the phones their kids/minions use, peeking on their texts, emails, Facebook messages, passwords, photos, browsing history, etc.
Spyfone is, in the words of my EFF colleague Eva Galperin, "a magical combination of shady, irresponsible, and incompetent." A security researcher has discovered that Spyfone maintains an unencrypted, unprotected Amazon S3 bucket in which it stores all the personal data it has harvested from thousands of its victims.
The company also failed to protect one of its APIs, so that anyone who guessed an easy-to-derive URL could monitor the data of new customers as they were added.
Spyfone's reckless incompetence exposed 2,208 peoples' most personal data, from 3,666 devices, as well as 44,109 unique email addresses.
The data exposed included selfies, text messages, audio recordings, contacts, location, hashed passwords and logins, Facebook messages, among others, according to a security researcher who asked to remain anonymous for fear of legal repercussions.
Last week, the researcher found the data on an Amazon S3 bucket owned by Spyfone, one of many companies that sell software that is designed to intercept text messages, calls, emails, and track locations of a monitored device.
Motherboard was able to verify that the researcher had access to Spyfone’s monitored devices’ data by creating a trial account, installing the spyware on a phone, and taking some pictures. Hours later, the researcher sent back one of those pictures.
Spyware Company Leaves ‘Terabytes’ of Selfies, Text Messages, and Location Data Exposed Online [Lorenzo Franceschi-Bicchierai/Motherboard]
Equifax doxed virtually every adult in America as well as millions of people in other countries like the UK and Canada. The breach was caused by an acquisition spree in which the company bought smaller competitors faster than it could absorb them, followed by negligence in both monitoring and responses to early warnings. Execs who […]
The next version of Chrome will patch a bug that lets websites detect users who are in incognito mode by by probing the Filesystem API; they've also pledged to seek out and block any other vulnerabilities that will let servers detect users in incognito mode.
The Googler Uprising was a string of employee actions within Google over a series of issues related to ethics and business practices, starting with the company's AI project for US military drones, then its secretive work on a censored/surveilling search tool for use in China; then the $80m payout to Android founder Andy Rubin after […]
With enough practice and commitment, anyone can be a visual artist. But without the right instruction, that time spent honing your skills could seem like an eternity. If you really want to see where your talent can take you, you need sound fundamentals – and no matter what discipline or genre you lean toward, the […]
Theoretically, there’s never been an easier time for marketers. The ubiquity of social media means a good word – or a good brand – can spread like wildfire with very little effort. But as limitless as the internet is, there’s a lot of competition and noise to contend with. And the vast graveyard of failed […]
They might be the shiny new thing, but AirPods aren’t for everybody. Maybe you’re looking for a new sound or you understandably lost those tiny buds during a brisk run. If so, here’s 10 headphones and earbuds that break out of the Apple mode with a return to quality and wearability. Klipsch R5 Bluetooth Neckband […]