Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
TRENDING TODAY
Home > News > Security > Security Fixes and Improvements

May 16th, 2012, 11:55 GMT · By

Multiple Web Vulnerabilities Expose MobileSpy App to Attacks, Experts Say

SHARE:

Adjust text size:

Experts find vulnerabilities in MobileSpy
Enlarge picture
Researchers from the Vulnerability Lab have identified a number of web flaws in the popular spy app called MobileSpy. Since the vendor has failed to reply to their inquiries, they have decided to make their findings public to raise awareness among users.

Before moving on to the actual security holes, let’s take a look at the app itself. MobileSpy is an application that allows smartphone owners to log the activities of the devices on which the program is installed. This includes call information, SMS data, GPS location and much more.

The surveillance app is designed to work on most platforms, including Symbian, iOS, Android, BlackBerry and Windows Phone.

The fact that it’s compatible with a large number of devices makes this piece of software a tempting target for cybercriminals, which is why it’s recommended that customers act with caution until the vendor manages to address these weaknesses.

The first security hole found by experts from Vulnerability Lab refers to a number of persistent server-side input validation issues, which can allow a remote attacker to manipulate application requests and hijack sessions.

The founder and CEO of the company, Benjamin Kunz Mejri, provides a great example on how this flaw could be leveraged.

“If you know for example your mobile is observed you can inject script code to your SMS and send it via service. The SMS spy service is logging the issue & the script code is getting executed on the display website of the observer,” he explains.

Basically, this bug can turn the spy into the one who’s spied on.

The same type of vulnerability can be found in a non-persistent form in MobileSpy.

These weaknesses are considered to be of medium severity because they require user interaction in order to be exploited, unlike the persistent ones that can be leveraged without the need of social engineering.

The last flaw is a dangerous SQL Injection that can be utilized to compromise the application’s database management system.
FILED UNDER:
SQLI
XSS
Vulnerability Lab


1,680 hits
Link to this article · Print article · Send to friend

MUST-READ RELATED ARTICLES:


Critical 0-Day in Hotmail Exploited in the Wild, Microsoft Issues Fix (Updated)
Researchers Reveal Flaws in Microsoft Partner Network Cloud Service
TreasonSMS Bug Allows Hackers to Execute Malicious Code on iPhones (Updated)
Apple Fixes SQL Injection Flaws in “Education Seminars” Site
Pointer Corruption and Persistent Weakness Addressed by Skype (Video)

READER COMMENTS:



No user comments yet.
Be the first to express your opinion!
Copyright © 2001-2013 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2013 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use