Independent security researcher Swarang Wade discovered a vulnerability that allows anyone to reset any user's password on TheTruthSpy and its companion Android spyware apps, enabling account takeover and access to victims' sensitive phone data. Many customers are likely operating the spyware without targets' consent, so compromised phones may be leaking personal information. TheTruthSpy has experienced multiple prior data exposures; this incident is at least the fourth security lapse for the operation and part of a wider pattern of spyware data spills. Attempts to notify the operator received no response, and the director said he "lost" the source code and cannot fix the bug. The vulnerability remains active and puts thousands of unknowingly compromised phones at risk.
Independent security researcher Swarang Wade found the vulnerability, which allows anyone to reset the password of any user of the stalkerware app TheTruthSpy and its many companion Android spyware apps, leading to the hijacking of any account on the platform. Given the nature of TheTruthSpy, it's likely that many of its customers are operating it without the consent of their targets, who are unaware that their phone data is being siphoned off to somebody else.
This basic flaw shows, once again, that makers of consumer spyware such as TheTruthSpy - and its many competitors - cannot be trusted with anyone's data. These surveillance apps not only facilitate illegal spying, often by abusive romantic partners, but they also have shoddy security practices that expose the personal data of both victims and perpetrators. To date, TechCrunch has counted at least 26 spyware operations that've leaked, exposed, or otherwise spilled data in recent years.
Collection
[
|
...
]