As you might imagine, Spyfone is a company that offers to spy on other peoples' phones for you: its major market is parents and bosses who infect and surveil the phones their kids/minions use, peeking on their texts, emails, Facebook messages, passwords, photos, browsing history, etc.
Spyfone is, in the words of my EFF colleague Eva Galperin, "a magical combination of shady, irresponsible, and incompetent." A security researcher has discovered that Spyfone maintains an unencrypted, unprotected Amazon S3 bucket in which it stores all the personal data it has harvested from thousands of its victims.
The company also failed to protect one of its APIs, so that anyone who guessed an easy-to-derive URL could monitor the data of new customers as they were added.
Spyfone's reckless incompetence exposed 2,208 peoples' most personal data, from 3,666 devices, as well as 44,109 unique email addresses.
The data exposed included selfies, text messages, audio recordings, contacts, location, hashed passwords and logins, Facebook messages, among others, according to a security researcher who asked to remain anonymous for fear of legal repercussions.
Last week, the researcher found the data on an Amazon S3 bucket owned by Spyfone, one of many companies that sell software that is designed to intercept text messages, calls, emails, and track locations of a monitored device.
Motherboard was able to verify that the researcher had access to Spyfone’s monitored devices’ data by creating a trial account, installing the spyware on a phone, and taking some pictures. Hours later, the researcher sent back one of those pictures.
Spyware Company Leaves ‘Terabytes’ of Selfies, Text Messages, and Location Data Exposed Online [Lorenzo Franceschi-Bicchierai/Motherboard]