Researchers from the Vulnerability Lab have identified a number of web flaws in the popular spy app called MobileSpy. Since the vendor has failed to reply to their inquiries, they have decided to make their findings public to raise awareness among users.
Before moving on to the actual security holes, let’s take a look at the app itself. MobileSpy is an application that allows smartphone owners to log the activities of the devices on which the program is installed. This includes call information, SMS data, GPS location and much more.
The surveillance app is designed to work on most platforms, including Symbian, iOS, Android, BlackBerry and Windows Phone.
The fact that it’s compatible with a large number of devices makes this piece of software a tempting target for cybercriminals, which is why it’s recommended that customers act with caution until the vendor manages to address these weaknesses.
The first security hole found by experts from Vulnerability Lab refers to a number of persistent server-side input validation issues, which can allow a remote attacker to manipulate application requests and hijack sessions.
The founder and CEO of the company, Benjamin Kunz Mejri, provides a great example on how this flaw could be leveraged.
“If you know for example your mobile is observed you can inject script code to your SMS and send it via service. The SMS spy service is logging the issue & the script code is getting executed on the display website of the observer,” he explains
Basically, this bug can turn the spy into the one who’s spied on.
The same type of vulnerability can be found in a non-persistent form in MobileSpy.
These weaknesses are considered to be of medium severity because they require user interaction in order to be exploited, unlike the persistent ones that can be leveraged without the need of social engineering.
The last flaw is a dangerous SQL Injection that can be utilized to compromise the application’s database management system.