Spyware is supposed to spy upon people, most notably criminals or threat actors. However, nowadays even spyware aren’t protected from vulnerabilities and are exposed to hackers. Recently we reported on the hacking of several spyware apps including FlexiSpy, Retina-X and TheTruthSpy. Now there is another spyware to join the list of victimized apps.
Motherboard reports that a parental control related spying app Family Orbit exposed nearly 281 GB of data online. The data was stored on an unsecured server and the presence of such a large number of Family Orbit customers’ data online was discovered by a hacker. The hacker then reported about the flawed server to Motherboard.
About 3,836 containers were stored on Rackspace and included video footages too. The hacker also posted screenshots to prove that he has gained access to the folders.
“I had all photos uploaded from the phones of kids being monitored, and also some screenshots of the developer’s desktops which exposed passwords and other secrets,” stated the unidentified hacker.
Motherboard also verified the data breach and stated that the data belonged to active users who used those email addresses to register to the service. Motherboard assessed 6 of the email addresses and concluded that the addresses were active.
Family Orbit is marketed as the best “parental control app” currently available online. The concerning aspect is that the exposed data includes hundreds of pictures of children, who were being monitored by their parents or family members through the app. The data was protected by an easy-to-guess password only. He found the key on the cloud servers of the spyware app.
The hacker who discovered the unprotected server is known for hacking of Retina-X, another spyware, and managed to wipe its servers twice. The data breach has been confirmed by the company as well. In an official statement, the company noted that:
“I had all photos uploaded from the phones of kids being monitored, and also some screenshots of the developer’s desktops which exposed passwords and other secrets.”
As per a spokesperson of Family Orbit, the spyware’s API key is stored in the app in an encrypted form and that the company did observe the use of unusual bandwidth in their cloud server. As soon as the company detected the bandwidth, the API key and login credentials were changed immediately. Moreover, the sales and services were also taken offline until the flaw was fixed.
Image credit: Depositphotos