Mobile spyware maker mSpy has expended a great deal of energy denying and then later downplaying a breach involving data stolen from tens of thousands of mobile devices running its software. Unfortunately for victims of this breach, mSpy’s lackadaisical response has left millions of screenshots taken from those devices wide open and exposed to the Internet via its own Web site.
The mSpy data was leaked to the Deep Web, where hundreds of gigabytes of files, chat logs, location records and other data was dumped after the company reportedly declined to comply with extortion demands made by hackers who’d broken into mSpy’s servers. Included in that huge archive is a 13 gigabyte (compressed) directory referencing countless screen shots taken from devices running mSpy’s software — including screen shots taken secretly by users who installed the software on a friend or partner’s device.
The log file of the screen shots taken from mSpy-infested devices doesn’t store the actual screenshot, but instead includes incomplete links to the images. Incredibly, nearly two weeks after this breach became public, all of the leaked screen shots remain viewable over the Internet with nothing more than a Web browser if one knows the base URL that precedes the file name. And that base URL is trivial to work out if you have an active mSpy account.
For example, here’s a fairly benign screen shot reference that was included in the leaked files:
“ref”: “dav/a00/003/628/359/2015/02/24/cGWmz4OjqoyImZQh-25493887.jpg.open
Adding the base URL to that URL stem produces a screen shot showing an mSpy-enabled device browsing seberizeni.cz, a Czech news site. Disturbingly, it is trivial to identify the owners of many mSpy-enabled devices merely based on the information available in the bookmarks bar or Web browser windows shown in many of these screen shots.
According to mSpy, however, this is not a big deal. Almost a week after I requested comment from mSpy, a person named Amelie Ross responded with a somewhat nonsensical statement that essentially said the whole incident was dramatically exaggerated and aggravated by the media.
“Data logs do not include the information of the account user, therefore cannot be tracked back to data owner,” Ross said, ignoring the fact that I was able to identify and contact many of the company’s customers. “This case been a hard lesson and will only serve as an incentive for perfecting our service further. We have communicated with our customers whose data could have been stolen, described them a situation and they perceived it with a total understanding.”
Reached today about the exposed screenshots, mSpy reiterated its claim the data cannot be traced back to the data owner, and then acknowledged that it was reworking its system to render the exposed screenshot links unusable.
“Currently we’re working on re-hashing of the exposed data, which will result in the leaked links becoming inoperable,” Ross wrote. “We expect it to be completed within 24 hours.”
A number of journalists following the mSpy breach story have asked if I knew where the company was based, noting that authorities from several countries are now investigating the breach. As I mentioned in my original story on the break-in, the founders of the company variously claimed UK and Russian nationality, but it remains unclear where the company is physically located. However, I’m leaning toward Russia or another Eastern European country. Ross’s response to my initial email includes a forwarded copy of my May 9 message to the main [email protected] mailbox, which was prefaced by the the timestamp: “09.05.2015 17:55, brian krebs пишет:” That last word, пишет, is Russian for “wrote”. According to a review of the email headers, the response was sent from a laptop in Ukraine on the Eastern European summer time zone.
I hope it’s clear that it’s foolhardy to place any trust or confidence in a company whose reason for existence is secretly spying on people. Alas, the only customers who can truly “trust” a company like this are those who are indifferent to the privacy and security of the device owner being spied upon.
Source: Krebs