search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Mobile device monitoring services do not authenticate API requests

Vulnerability Note VU#229438

Original Release Date: 2022-02-22 | Last Revised: 2022-02-24

Overview

The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability. These services and their associated apps can be used to perform non-consensual, unauthorized monitoring and are commonly called "stalkerware." An unauthenticated remote attacker can access personal information collected from any device with one of the stalkerware variants installed.

Description

IDOR is a common web application flaw that essentially exposes information on a server because of insufficient authentication or authorization controls. Multiple services and apps are affected by this backend vulnerability. A list of known vendors is included below.

For more information and a detailed account of the flaw and investigation, please see "Behind the stalkerware network spilling the private phone data of hundreds of thousands."

Impact

An unauthenticated remote attacker can access personal information collected from any device with one of the stalkerware variants installed.

Solution

We are unaware of a practical solution to this problem. The infrastructure provider (according to the TechCrunch investigation, 1Byte Software), would need to address the IDOR vulnerability.

For advice on detecting and removing stalkerware apps, see "Your Android phone could have stalkerware, here's how to remove it." As noted by TechCrunch:

Before you proceed, have a safety plan in place. The Coalition Against Stalkerware offers advice and guidance for victims and survivors of stalkerware. Spyware is designed to be covert, but keep in mind that removing the spyware from your phone will likely alert the person who planted it, which could create an unsafe situation.

Acknowledgements

Thanks to Zack Whittaker from TechCrunch for researching and reporting this vulnerability and investigating the wider security concerns related to stalkerware.

This document was written by James Stanley and Art Manion.

Vendor Information

229438
 

1Byte Software Affected

Updated: 2022-02-22

CVE-2022-0732 Unknown
VU#229438.1 Affected

Vendor Statement

We have not received a statement from the vendor.

Antra Sys Affected

Updated: 2022-02-22

CVE-2022-0732 Unknown
VU#229438.1 Affected

Vendor Statement

We have not received a statement from the vendor.

Copy9 Affected

Notified:  2021-11-02 Updated: 2022-02-22

CVE-2022-0732 Unknown
VU#229438.1 Affected

Vendor Statement

We have not received a statement from the vendor.

eXact Softy Affected

Updated: 2022-02-22

CVE-2022-0732 Unknown
VU#229438.1 Affected

Vendor Statement

We have not received a statement from the vendor.

ExactSpy Affected

Updated: 2022-02-22

CVE-2022-0732 Unknown
VU#229438.1 Affected

Vendor Statement

We have not received a statement from the vendor.

Fone Tracker Affected

Notified:  2021-11-02 Updated: 2022-02-22

CVE-2022-0732 Unknown
VU#229438.1 Affected

Vendor Statement

We have not received a statement from the vendor.

Guest Mobi Affected

Updated: 2022-02-22

CVE-2022-0732 Unknown
VU#229438.1 Affected

Vendor Statement

We have not received a statement from the vendor.

Guest Spy Affected

Notified:  2021-11-02 Updated: 2022-02-22

CVE-2022-0732 Unknown
VU#229438.1 Affected

Vendor Statement

We have not received a statement from the vendor.

iSpyoo Affected

Notified:  2021-11-02 Updated: 2022-02-22

CVE-2022-0732 Unknown
VU#229438.1 Affected

Vendor Statement

We have not received a statement from the vendor.

iYoo Global Affected

Updated: 2022-02-22

CVE-2022-0732 Unknown
VU#229438.1 Affected

Vendor Statement

We have not received a statement from the vendor.

Jexpa Affected

Updated: 2022-02-22

CVE-2022-0732 Unknown
VU#229438.1 Affected

Vendor Statement

We have not received a statement from the vendor.

MobileLeak Affected

Updated: 2022-02-22

CVE-2022-0732 Unknown
VU#229438.1 Affected

Vendor Statement

We have not received a statement from the vendor.

Mobile X Global Affected

Updated: 2022-02-22

CVE-2022-0732 Unknown
VU#229438.1 Affected

Vendor Statement

We have not received a statement from the vendor.

MXSPY Affected

Notified:  2021-11-02 Updated: 2022-02-22

CVE-2022-0732 Unknown
VU#229438.1 Affected

Vendor Statement

We have not received a statement from the vendor.

SecondClone Affected

Updated: 2022-02-22

CVE-2022-0732 Unknown
VU#229438.1 Affected

Vendor Statement

We have not received a statement from the vendor.

TheSpyApp Affected

Updated: 2022-02-22

CVE-2022-0732 Unknown
VU#229438.1 Affected

Vendor Statement

We have not received a statement from the vendor.

The Truth Spy Affected

Notified:  2021-11-02 Updated: 2022-02-22

CVE-2022-0732 Unknown
VU#229438.1 Affected

Vendor Statement

We have not received a statement from the vendor.

WeySys Affected

Updated: 2022-02-22

CVE-2022-0732 Unknown
VU#229438.1 Affected

Vendor Statement

We have not received a statement from the vendor.

Codero Unknown

Notified:  2021-11-02 Updated: 2022-02-22

CVE-2022-0732 Unknown
VU#229438.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

View all 19 vendors View less vendors


Other Information

CVE IDs: CVE-2022-0732
Date Public: 2022-02-22
Date First Published: 2022-02-22
Date Last Updated: 2022-02-24 20:41 UTC
Document Revision: 4

Sponsored by CISA.