[HN Gopher] Taking over 60k spyware user accounts with SQL injec...
___________________________________________________________________
Taking over 60k spyware user accounts with SQL injection
Author : mtlynch
Score : 132 points
Date : 2025-07-03 14:56 UTC (5 days ago)
(HTM) web link (ericdaigle.ca)
(TXT) w3m dump (ericdaigle.ca)
| mtlynch wrote:
| sqlmap https://catwatchful.pink/webservice/servicios.php?operatio
| n=getDevice&imei=M6GPYXHZ95ULUFD0 ... sqlmap
| identified the following injection points
|
| This was the wildest part to me. I'd heard of sqlmap but I didn't
| realize it was so good that you can just hand it a URL that hits
| the database and the tool basically figures out from there how to
| dump the database contents if there's any SQL injection
| vulnerability.
|
| > _Intercepting my test phone's traffic confirms that the files
| are directly uploaded to Firebase, and reveals that the commands
| for features like live photos are also handled through FCM. This
| is going to reduce our attack surface by a lot - nothing in
| Firebase is going to be IDORable or vulnerable to SQLI, and some
| quick testing eliminates any of the usual traps like open storage
| buckets or client-side service account credentials._
|
| I was surprised at how the malware devs made such sloppy mistakes
| but being on Firebase protected them from more severe
| vulnerablities. I've seen other vendors get popped by configuring
| Firebase incorrectly, but it seems like if you configure the
| basics right, it cuts down the attack surface a lot.
| supriyo-biswas wrote:
| The incorrect Firebase configuration usually stems from people
| trying to have the frontend write database entries directly,
| however these developers usually had an old-school backend
| sending structured objects to Firebase, so that issue was kinda
| mitigated.
| sigmoid10 wrote:
| >I'd heard of sqlmap but I didn't realize it was so good
|
| The blog correctly explains how it has become pretty useless in
| our age where noone writes their own database integration
| anymore and everyone uses off-the-shelf components, but man...
| I remember a time when it felt like literally every
| sufficiently complex web service was vulnerable to sql
| injection. You could write a small wrapper for sqlmap, hook it
| up to the results of a scraper, let it run over night on every
| single piece of data sent to the server and the next day you'd
| have a bunch of entry points to choose from. It even handled
| WAFs to some degree. I'm out of it-sec for several years now,
| but I still remember every single command line argument for
| sqlmap like it was yesterday.
| technion wrote:
| Ive always admired hn for bringing me people in very
| different spaces. Of the development teams I've worked with
| in the last year pretty much all of them were writing
| injectable code by default. Ive got an email from an
| executive in a saas telling me they aren't worried because
| they geofilter china.
| fancyswimtime wrote:
| what?
| RankingMember wrote:
| I agree, I'm blown away at the level to which this kind of
| probing and exfiltration has been abstracted. Not quite
| surprised that years of iteration have led to this, but still,
| I didn't realize it'd become _this_ easy.
| jerf wrote:
| "I'd heard of sqlmap but I didn't realize it was so good that
| you can just hand it a URL that hits the database and the tool
| basically figures out from there how to dump the database
| contents if there's any SQL injection vulnerability."
|
| If there's one lesson I'd convey to people about security it is
| _do not underestimate your foes_. They 've been building tools
| for decades just like any other discipline.
|
| Tech to find a hole in your system that lets you run an
| arbitrary-but-constrained fragment of shell code that can put a
| small executable on to the system that puts a larger executable
| on that lifts itself up to root and also joins a centralized
| command-and-control server with the ability to push arbitrary
| code across entire clusters of owned systems is not some sort
| of bizarre, exotic technology that people only dream of... it's
| _off-the-shelf tech_. It 's a basic building block. Actually
| _sophisticated_ attackers build up from there.
|
| If $YOU're operating on the presumption I see so often that the
| script kiddies blind-firing Wordpress vulnerabilities at
| servers is the height of attacker's sophistication $YOU are
| operating at an unrecoverable disadvantage against these
| people.
| ryanrasti wrote:
| > Q: Can I monitor a phone without them knowing?
|
| > A: Yes, you can monitor a phone without them knowing with
| mobile phone monitoring software. The app is invisible and
| undetectable on the phone. It works in a hidden and stealth mode.
|
| How is that even possible on a modern Android? I'd think one of
| the explicit goals of the security model would be to prevent
| this.
| ridgewell wrote:
| I'm not familiar with this app but based on the read, it sounds
| like they're essentially relying on someone to sneak into the
| target's phone, install an apk with a 'Settings' logo, where
| you grant it all permissions (I assume the installer
| facilitates the process of manually granting full permissions
| for each permissions type and disabling battery optimization).
| Android does allow you to effectively delegate full permissions
| to an app like that, albeit in a manual way.
| afarah1 wrote:
| Camera and microphone usage should be hard-wired to an LED
| Polizeiposaune wrote:
| and a switch which has a physical air gap when off.
| itslennysfault wrote:
| Thanks for your suggestion, but at this time the NSA
| cannot allow this change.
| ryanrasti wrote:
| Haha! That gave me a good laugh.
| MisterTea wrote:
| "But the switch will compromise its water tightness like
| the headphone jack does!" - every mobile sycophant.
| roland35 wrote:
| I wonder if it would show up in periodic permissions scans
| done by android. Hopefully!
|
| But as the TechCrunch author stated, oftentimes alerting the
| stalker can be dangerous for the victim.
| boznz wrote:
| I think setting up your own evil-proxy or evil-wifi-hotspot and
| periodically connecting your phone to them may help in the
| detection of these and many other phone home malware. I am
| getting closer to the paranoia threshold to almost give it a
| try.
| esaym wrote:
| > The live photo and microphone options are particularly creepy,
| successfully taking a photo or recording and uploading it for me
| to view near-instantly on the control panel without giving the
| phone user the slightest sign that anything is amiss
|
| Oh dear.
| blueplanet200 wrote:
| From sqlmap
|
| > Usage of sqlmap for attacking targets without prior mutual
| consent is illegal. It is the end user's responsibility to obey
| all applicable local, state and federal laws. Developers assume
| no liability and are not responsible for any misuse or damage
| caused by this program"
|
| I don't know the legal footing these spyware apps stand on, but
| this blog post seems like exhibit A if Catwatchful ever decided
| to sue the author, or press criminal charges. Hacking, even for
| reasons that seem morally justified, is still illegal.
| VWWHFSfQ wrote:
| Yeah this whole exercise was completely illegal and I'm
| surprised this person publicly (and proudly) blogged about it
| like this.
|
| They probably need to engage an attorney now.
| SoftTalker wrote:
| Author is in Canada, not sure if/how that changes things.
| mtlynch wrote:
| The server they compromised is essentially a command and
| control server for an illegal botnet.
|
| Are there documented cases of botnet owners trying to sue or
| get law enforcement to prosecute someone for infiltrating
| their botnet?
|
| I'd be more concerned about extralegal retaliation from
| people in the malware ecosystem.
| dylan604 wrote:
| Hey, that's my server, and is totally 100% legit. I was
| unaware that I was pwnd and someone was using it as a C&C
| server. I'm now suing you for hacking my server, as you
| _could_ be the person that installed the C &C server. After
| all, you are an admitted hacker.
|
| Stranger things have won in court
| rendall wrote:
| Your theory is that Daigle is at risk of a Canadian
| prosecutor hauling him into court based on the criminal
| complaint of a Uruguayan purveyor of stalkerware? That's
| novel.
| eddythompson80 wrote:
| I think the theory is that Daigle has publicly professed to
| committing a crime sharing all their steps and receipts.
| It'll be unheard of of course if a Uruguayan purveyor of
| stalkerware take him to court.
|
| However, next time he talks about emulating Nintendo games
| or whatever, I'm sure Nintendo lawyers would love to bring
| it up and point "how the defendant brazenly defies law and
| order with predetermination malice".
|
| Not to begin to even mention now some shady criminal might
| hold a grudge against Daigle. I hope his security is air
| tight.
|
| There is a reason these reports are usually anonymous or
| follow responsible disclosure.
| dylan604 wrote:
| Just preface the story with "last night I had a dream
| that I..." Now, it is a work of fiction.
| eddythompson80 wrote:
| Pretty sure that has never stood in court and it can only
| hurt you. It shows to the jury that you're trying to be
| dishonest.
| rendall wrote:
| Rest easy, Daigle is legally immune from concern
| trolling.
| eddythompson80 wrote:
| good for him
| lcnPylGDnU4H9OF wrote:
| > next time he talks about emulating Nintendo games or
| whatever
|
| This seems like a straw man, though? What if they just...
| continue to not do that? (I think this is what the other
| commenter meant with "concern trolling".)
|
| > Not to begin to even mention now some shady criminal
| might hold a grudge against Daigle.
|
| This is 1) not a problem a lawyer will help you with and
| 2) not a practical concern for most people in the US and
| Canada. For example, Brian Krebs continues to (read: he's
| not dead or otherwise intimidated into silence) put his
| name behind many similar reports of illegal activity.
| There is a reason law enforcement investigates and
| prosecutes violent crime.
|
| I don't really see a practical reason for this person to
| avoid putting their name behind this report. The only
| reason that seems to make sense is if this group is not a
| criminal enterprise. Then they might be at all inclined
| to file a lawsuit.
| mtlynch wrote:
| > _For example, Brian Krebs continues to (read: he 's not
| dead or otherwise intimidated into silence) put his name
| behind many similar reports of illegal activity. There is
| a reason law enforcement investigates and prosecutes
| violent crime._
|
| Brian Krebs invests a huge amount into keeping his home
| address a secret and has extensive surveillance at his
| home to keep intruders out. He was once SWATed and
| another time someone ordered heroin to his home and
| called the police to frame him for drug smuggling.[0]
|
| It's a bit of a miracle that Krebs continues his
| reporting. Krebs' courage and opsec is not very easy to
| achieve, especially for a 23 year old blogger like OP.
|
| [0] https://news.ycombinator.com/item?id=42354602
| lawlessone wrote:
| Class action lawsuit from a group of stalkers?
| rendall wrote:
| That would be an amusing exercise in self-incrimination &
| discovery pain for Catwatchful. They would also have to
| quantify business losses, which requires admitting the value of
| an illicit enterprise. But YOLO am I right? LFG!
| deadbabe wrote:
| About half of hacking articles are just fake things people
| claim to have done but didn't actually happen and no one checks
| on it, and conveniently by the time they publish the exploit
| was "fixed". So you can't verify for yourself anyway.
|
| Without hard proof that the author did what they said they did,
| you have no real case. This particular story already sounds far
| fetched but makes good fantasy.
| munchler wrote:
| FWIW, this story has been verified by a reporter at
| TechCrunch, who says he used the dumped database to identify
| the spyware admin in Uruguay.
|
| https://techcrunch.com/2025/07/02/data-breach-reveals-
| catwat...
| deadbabe wrote:
| Doesn't change what I said
| bspammer wrote:
| It's unexpected to me that someone with the technical knowhow to
| build spyware like this and a nice web interface for it, made
| basic mistakes like storing passwords in plaintext and piping
| unescaped user input into database queries.
| imzadi wrote:
| I'd be willing to bet that getting their user's passwords is
| part of their goal. So they would need to be stored somewhere.
| andoando wrote:
| They probably just didn't care to
| JohnMakin wrote:
| some time ago I was having super weird phone issues (iphone) and
| narrowed it down to one of these services. I clearly had been 0
| click vuln'd because I couldnt fathom how else it could have been
| infected, but had no idea who or why, still dont know. felt
| extremely gross and I have absolutely zero sympathy for any users
| or operators of these services and think this researcher was far
| too polite about it.
| ceva wrote:
| Someone who is in malware business will 100% not sue you for what
| you did, i wouldn't worry about that at all. You did a good job!
| gpm wrote:
| The TechCrunch article says
|
| > Google said it added new protections for Google Play Protect
|
| But the screenshot of the device settings in the article shows
| that the app has you turn off Google Play Protect. So does this
| even do anything?
|
| Meanwhile Google (via its firebase brand) is apparently
| continuing to act as a host for this app...
___________________________________________________________________
(page generated 2025-07-08 23:00 UTC)