A number of spying apps on the Google Play Store have security weaknesses which leave their users’ private data and passwords unprotected, a team of researchers said, adding that, by taking the advantage of the loopholes, hackers can spy on the millions of users without even letting them know. The researchers pinpointed the “Couple Vow” app on the platform which allegedly exposed the login details of its 1.7 million users.
“Anyone who had access to an account wouldn’t just have all the location, text and call data of whoever was being tracked, but all content sent through the app’s messaging feature. A separate vulnerability in the app’s database meant hackers (thankfully benevolent ones in this case) could grab all 1.7 million users’ data in tranches of information. In some cases that included nude images,” Forbes quoted the researchers from the Germany-based Fraunhofer Institute for Secure Information Technology (SIT).
The researchers said that they requested the data from the app server using “a GET request.” The team found that there was no need of entering a username or password, all the user logins were unencrypted and anyone with an internet connection could read them. “You do not even have to attack the server. A single GET request gets you all the data as there was no authentication at all,” SIT Security Researcher Siegfried Rasthofer was quoted as saying.
They also claimed that there was another vulnerability in the app which allowed them to pull nine images at a time. When they tried to see if their own images were accessible, they found other photos were also being available for download, including nude images. (The researchers claim that they did not download anyone else’s images; they were only previews stored in the browser and the cache was also deleted.) The team also probed 18 other tracker apps in the last one year and found that they all had weaknesses that could be exploited to access the details of all the users’ accounts.