Mobile spyware maker mSpy has expended a great deal of energy denying and then later downplaying a breach involving data stolen from tens of thousands of mobile devices running its software. Unfortunately for victims of this breach, mSpy’s lackadaisical response has left millions of screenshots taken from those devices wide open and exposed to the Internet via its own Web site.
The mSpy data was leaked to the Deep Web, where hundreds of gigabytes of files, chat logs, location records and other data was dumped after the company reportedly declined to comply with extortion demands made by hackers who’d broken into mSpy’s servers. Included in that huge archive is a 13 gigabyte (compressed) directory referencing countless screen shots taken from devices running mSpy’s software — including screen shots taken secretly by users who installed the software on a friend or partner’s device.
The log file of the screen shots taken from mSpy-infested devices doesn’t store the actual screenshot, but instead includes incomplete links to the images. Incredibly, nearly two weeks after this breach became public, all of the leaked screen shots remain viewable over the Internet with nothing more than a Web browser if one knows the base URL that precedes the file name. And that base URL is trivial to work out if you have an active mSpy account.
For example, here’s a fairly benign screen shot reference that was included in the leaked files:
Adding the base URL to that URL stem produces a screen shot showing an mSpy-enabled device browsing seberizeni.cz, a Czech news site. Disturbingly, it is trivial to identify the owners of many mSpy-enabled devices merely based on the information available in the bookmarks bar or Web browser windows shown in many of these screen shots.
According to mSpy, however, this is not a big deal. Almost a week after I requested comment from mSpy, a person named Amelie Ross responded with a somewhat nonsensical statement that essentially said the whole incident was dramatically exaggerated and aggravated by the media. Continue reading →