TheTruthSpy is a mobile spy phone software for iOS and Android, advertised as the best way to track someone’s iPhone/iPad and Android phones.
A hacker with initials L.M. told Motherboard that he gained access to the TheTruthSpy servers on February that has more than more than 10,000 customer accounts. He claimed that “I [have] admin access to the servers.” and “I control victims all over the world.”
Motherboard verified the breach with the sample of login credentials shared by the hacker and the data found authentic.
Access to TheTruthSpy Servers
He gained access to the TheTruthSpy Servers by reversing engineering the android app and exploiting a vulnerability in it. Inside the media server, L.M. said he saw the unique IDs of all customers within audio files, which were named “cell phone ID_date_time.”
The vulnerability resides in how the user credentials are requested, TheTruthSpy app requests the user credentials by sending the ID to the company servers by using a web request that returns the login credentials in plaintext.
L.M. said Motherboard by using an automated script he harvested all the customers’ credentials. he also warned that most of the customers reuse the credentials with their mail, PayPal or Amazon accounts.
Recently another spyware company Spyfone exposed terabytes of data that includes audio recordings, text messages, photos and web history from an unsecured Amazon S3 bucket.