Taking over 60k spyware user accounts with SQL injection
10 months ago
- #SQL-injection
- #stalkerware
- #cybersecurity
- Catwatchful is a full-featured Android spy app that offers a 3-day free trial and advertises itself as stalkerware.
- The app is invisible, undetectable, and cannot be uninstalled or stopped, collecting data in absolute stealth.
- Registration involves creating accounts in both Firebase and a custom database on catwatchful.pink.
- The spy app requests extensive permissions, disguises itself with a generic 'Settings' icon, and runs persistently in the background.
- User data is stored in Firebase, reducing attack surface due to Firebase's security.
- A SQL injection vulnerability was found in the catwatchful.pink server, allowing unauthorized access to the database.
- The SQL injection exposed plaintext logins and passwords for approximately 62,000 Catwatchful accounts.
- After discovery, efforts were made to take down the service, including contacting Google and hosting providers.
- Despite initial takedowns, the service was restored with a new domain and a WAF was later implemented to block the SQL injection.