Content warning: Domestic abuse, stalking, controlling behavior, Schadenfreude,  irony.

Me? Ow!

What’s the craic, Zack? Mr. Whittaker claims this breathless exclusive: Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones

“More than 62,000 customers”
The bug, which was discovered by security researcher Eric Daigle, spilled the spyware app’s full database of email addresses and plaintext passwords that Catwatchful customers use to access the data stolen from the phones of their victims. Catwatchful is spyware masquerading as a child monitoring app that claims to be “invisible and cannot be detected,” all the while uploading the victim’s phone’s private contents to a dashboard viewable by the person who planted the app.
…
Spyware apps like Catwatchful … are commonly referred to as “stalkerware” (or spouseware) for their propensity to facilitate non-consensual surveillance of spouses and romantic partners, which is illegal. Catwatchful … is at least the fifth spyware operation this year to have experienced a data spill. The incident shows that consumer-grade spyware continues to proliferate, despite being prone to shoddy coding and security failings.
…
Catwatchful had email addresses and passwords of more than 62,000 customers and the phone data from 26,000 victims’ devices. … Some of the records date back to 2018.

Won’t somebody think of the children? Pieter Arntz has no love for the genre: “Child monitoring” app exposes victims’ data

“Stalkerware companies put profits before privacy”
If an app markets itself as being for “child monitoring”, a customer might expect that their data and those of the person you’re monitoring is handled with the utmost care and respect. However, as we’ve seen many times before, stalkerware … apps have a tendency to be low quality and lack security.
…
Make no mistake, this is nasty stuff. … Stalkerware apps continue to pose a serious threat to privacy and security. … Recent leaks revealed that apps like Spyzie, Cocospy, and Spyic exposed millions of victims’ private information, including messages, photos, and locations. The attackers also obtained the email addresses of more than three million customers.
…
After the breaches, these apps disappeared from the internet, likely trying to avoid legal consequences rather than fixing security. … Stalkerware companies put profits before privacy, leaving victims and users vulnerable to further harm.

Horse’s mouth? Eric Daigle: Taking over 60k spyware user accounts with SQL injection

“We now control every account on the service”
I began by making a free trial account on the website. … I’m presented with a control panel with which to spy on my test phone. … The live photo and microphone options are particularly creepy, successfully taking a photo or recording and uploading it for me to view near-instantly, … without giving the phone user the slightest sign that anything is amiss. … I figured I may as well try SQLI.
…
Well that was easy. … Time to see what we can get out of this thing:
…
Table user … contains plaintext logins and passwords for all ~62k Catwatchful accounts. … We now control every account on the service. … Dumping a stalkerware service’s database lets you do lots of fun things like identify who runs it and report it to various cloud providers who claim they’ll take it down.

But who’s putting this awful garbage on their kids’ phones? ChefJeff789 isn’t:

As a parent of relatively young kids, I can understand the desire to curate content availability for my kids, mostly to avoid exposing them to ads, porn, and violence. I have never understood the parents that are so controlling, though, that they feel they need this level of surveillance.
…
My kid’s tablets have some app, content, and time limits, but I want them to know what those limits are and why they are present. I want them to see popups and talk to me about it. If you’ve reached the point where you feel that clandestine surveillance of your children is necessary, you’ve lost the plot somewhere, I think.

Sounds sensible. Mr. Dollar Ton thinks people should stop hitting themselves:

It is advertised as a “child safety” solution. Therefore the main demographic are model parents. They are typically installing it on the expensive remote controls their [child] carries.
…
In the real world these remotes are owned by the model parents. … Not sure what the complaint is about.

It’s not really about the kids, though, is it? Here’s UserIDAlreadyInUse:

My guess is that the market for “completely undetectable monitorware” runs more towards the type of person that tracks how long — to the minute — their partner is out at the grocery store, has locks on the kitchen cupboards, the only keys to the deadbolts on the doors and very definite opinions on the clothing they’re allowed to wear, and when.

And u/beadzy identifies another risk:

Yeah random kid tracker apps are just a recipe for kidnapping.

Wait. Pause. Did we forget about the horrific data security practices? Komarov didn’t:

How? How do you still store plaintext passwords on a server in this day and age?
…
If I had a penny for every dumb, lazy dingbat who call themselves programmers. SQL injection is trivial—all you need is for said dingbat to construct their queries with string concatenation or some such idiocy. 7:3 the backend is written in PHP, too.

Meanwhile, cmseagle sounds slightly sarcastic:

No iOS Support? Why can’t I get this in the App Store? Damn that walled garden.

And Finally:

Interstellar decapod

Hat tip: PhosphorBurnedEyes

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to  @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Christian Maass (via Unsplash; leveled and cropped)