{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/229438#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nThe backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability. These services and their associated apps can be used to perform non-consensual, unauthorized monitoring and are commonly called \"stalkerware.\" An unauthenticated remote attacker can access personal information collected from any device with one of the stalkerware variants installed.\r\n### Description\r\nIDOR is a common web application flaw that essentially exposes information on a server because of insufficient authentication or authorization controls. Multiple services and apps are affected by this backend vulnerability. A list of known vendors is included below. \r\n\r\nFor more information and a detailed account of the flaw and investigation, please see \"[Behind the stalkerware network spilling the private phone data of hundreds of thousands](https://techcrunch.com/2022/02/22/stalkerware-network-spilling-data/).\" \r\n### Impact\r\nAn unauthenticated remote attacker can access personal information collected from any device with one of the stalkerware variants installed.\r\n\r\n### Solution\r\nWe are unaware of a practical solution to this problem. The infrastructure provider (according to the [TechCrunch investigation](https://techcrunch.com/2022/02/22/stalkerware-network-spilling-data/), 1Byte Software), would need to address the IDOR vulnerability. \r\n\r\nFor advice on detecting and removing stalkerware apps, see \"[Your Android phone could have stalkerware, here's how to remove it](https://techcrunch.com/2022/02/22/remove-android-spyware/).\" As noted by TechCrunch:\r\n> Before you proceed, have a safety plan in place. The [Coalition Against Stalkerware](https://stopstalkerware.org/information-for-survivors/) offers advice and guidance for victims and survivors of stalkerware. Spyware is designed to be covert, but keep in mind that removing the spyware from your phone will likely alert the person who planted it, which could create an unsafe situation.\r\n### Acknowledgements\r\nThanks to Zack Whittaker from TechCrunch for researching and reporting this vulnerability and investigating the wider security concerns related to stalkerware.\r\n\r\nThis document was written by James Stanley and Art Manion.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/229438"},{"url":"https://techcrunch.com/2022/02/22/stalkerware-network-spilling-data/","summary":"https://techcrunch.com/2022/02/22/stalkerware-network-spilling-data/"},{"url":"https://techcrunch.com/2022/02/22/remove-android-spyware/","summary":"https://techcrunch.com/2022/02/22/remove-android-spyware/"},{"url":"https://stopstalkerware.org/","summary":"https://stopstalkerware.org/"},{"url":"https://www.ftc.gov/news-events/press-releases/2021/09/ftc-bans-spyfone-and-ceo-from-surveillance-business","summary":"https://www.ftc.gov/news-events/press-releases/2021/09/ftc-bans-spyfone-and-ceo-from-surveillance-business"},{"url":"https://cwe.mitre.org/data/definitions/284.html","summary":"https://cwe.mitre.org/data/definitions/284.html"}],"title":"Mobile device monitoring services do not authenticate API requests","tracking":{"current_release_date":"2023-02-24T20:34:27+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#229438","initial_release_date":"2022-02-22 16:33:11.184055+00:00","revision_history":[{"date":"2023-02-24T20:34:27+00:00","number":"1.20230224203427.5","summary":"Released on 2023-02-24T20:34:27+00:00"}],"status":"final","version":"1.20230224203427.5"}},"vulnerabilities":[{"title":"The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability.","notes":[{"category":"summary","text":"The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability."}],"cve":"CVE-2022-0732","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#229438"}],"product_status":{"known_not_affected":["CSAFPID-b7ada6e2-3a2a-11f1-8422-122e2785dc9f"]}},{"title":"Each app's dashboard has the same \"export\" feature, which allows the operator to download a file containing the full contents of a victim's phone.","notes":[{"category":"summary","text":"Each app's dashboard has the same \"export\" feature, which allows the operator to download a file containing the full contents of a victim's phone. That includes geolocation data, contacts, text messages, call logs, browsing history, and more.\r\n\r\nBecause these white label stalkerware apps share the same codebase, they are all vulnerable to the same bug. The risk is raised because any operator with access to one of these stalkerware dashboards can export the data from any victim's phone via any one of these white labeled stalkerware apps. (For example: a Copy9 operator could access the private phone data of a victim's phone that has MxSpy or TheTruthSpy installed.)"}],"ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#229438"}],"product_status":{"known_affected":["CSAFPID-b7ae2a86-3a2a-11f1-8422-122e2785dc9f","CSAFPID-b7ae8b84-3a2a-11f1-8422-122e2785dc9f","CSAFPID-b7aed5f8-3a2a-11f1-8422-122e2785dc9f","CSAFPID-b7af1680-3a2a-11f1-8422-122e2785dc9f","CSAFPID-b7af4d12-3a2a-11f1-8422-122e2785dc9f","CSAFPID-b7af7508-3a2a-11f1-8422-122e2785dc9f","CSAFPID-b7afbc7a-3a2a-11f1-8422-122e2785dc9f","CSAFPID-b7b0040a-3a2a-11f1-8422-122e2785dc9f","CSAFPID-b7b03434-3a2a-11f1-8422-122e2785dc9f","CSAFPID-b7b05f5e-3a2a-11f1-8422-122e2785dc9f","CSAFPID-b7b0b5da-3a2a-11f1-8422-122e2785dc9f","CSAFPID-b7b0eb90-3a2a-11f1-8422-122e2785dc9f","CSAFPID-b7b17c68-3a2a-11f1-8422-122e2785dc9f","CSAFPID-b7b1d474-3a2a-11f1-8422-122e2785dc9f","CSAFPID-b7b1ff80-3a2a-11f1-8422-122e2785dc9f","CSAFPID-b7b244c2-3a2a-11f1-8422-122e2785dc9f","CSAFPID-b7b284be-3a2a-11f1-8422-122e2785dc9f","CSAFPID-b7b2c654-3a2a-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-b7b11c3c-3a2a-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Codero","product":{"name":"Codero Products","product_id":"CSAFPID-b7ada6e2-3a2a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Antra Sys","product":{"name":"Antra Sys Products","product_id":"CSAFPID-b7ae2a86-3a2a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"eXact Softy","product":{"name":"eXact Softy Products","product_id":"CSAFPID-b7ae8b84-3a2a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Guest Mobi","product":{"name":"Guest Mobi Products","product_id":"CSAFPID-b7aed5f8-3a2a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"iYoo Global","product":{"name":"iYoo Global Products","product_id":"CSAFPID-b7af1680-3a2a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Jexpa","product":{"name":"Jexpa Products","product_id":"CSAFPID-b7af4d12-3a2a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"MobileLeak","product":{"name":"MobileLeak Products","product_id":"CSAFPID-b7af7508-3a2a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Mobile X Global","product":{"name":"Mobile X Global Products","product_id":"CSAFPID-b7afbc7a-3a2a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"WeySys","product":{"name":"WeySys Products","product_id":"CSAFPID-b7b0040a-3a2a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"ExactSpy","product":{"name":"ExactSpy Products","product_id":"CSAFPID-b7b03434-3a2a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"SecondClone","product":{"name":"SecondClone Products","product_id":"CSAFPID-b7b05f5e-3a2a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"TheSpyApp","product":{"name":"TheSpyApp Products","product_id":"CSAFPID-b7b0b5da-3a2a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"1Byte Software","product":{"name":"1Byte Software Products","product_id":"CSAFPID-b7b0eb90-3a2a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Codero","product":{"name":"Codero Products","product_id":"CSAFPID-b7b11c3c-3a2a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Copy9","product":{"name":"Copy9 Products","product_id":"CSAFPID-b7b17c68-3a2a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Fone Tracker","product":{"name":"Fone Tracker Products","product_id":"CSAFPID-b7b1d474-3a2a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Guest Spy","product":{"name":"Guest Spy Products","product_id":"CSAFPID-b7b1ff80-3a2a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"iSpyoo","product":{"name":"iSpyoo Products","product_id":"CSAFPID-b7b244c2-3a2a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"MXSPY","product":{"name":"MXSPY Products","product_id":"CSAFPID-b7b284be-3a2a-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"The Truth Spy","product":{"name":"The Truth Spy Products","product_id":"CSAFPID-b7b2c654-3a2a-11f1-8422-122e2785dc9f"}}]}}