nyancrimew
/
maia.crimew.gay
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

typo

main
maia arson crimew 2024-02-13 18:37:28 +01:00
parent 8a644d1aef
commit 45fed06ae7
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/posts/fuckstalkerware-4.md
View File

@ -55,7 +55,7 @@ with the shell planted on the system i did my usual prowl through the file syste
finally having a separate test phone again to run shady software on in an isolated context, i set out to also actually look over the TruthSpy attack surface as well. a decompilation i did of the client earlier showed that the app contacts its backend completely over plain HTTP, which is a massive privacy and security issue due to how easy it makes the interception of all traffic when on the same network, like on public wifi. however, it also makes my analysis super easy :3! i set up [ZAP](http://zaproxy.org/) to intercept all traffic from the phone and installed the client. it was apparent that the device api still has no authentication beyond sending the device id with all requests.
trying to get a potential way to drop another webshell i played around with the photo history and remote photo features, "remotely" taking a photo of myself without touching the phone at all. it definitely felt felt kind of scary, even after all the research ive already done into stalkerware by now. aafter some futile tries to use the endpoint to upload arbitrary files i gave up, but as Zack has previously [reported on data leaked from the TruthSpy server](https://techcrunch.com/2023/07/20/thetruthspy-stalkerware-forged-passports-millions/) already i wasn't too bummed. looking through all the other endpoints called by the client i ended up finding the final IDOR vuln to complete the data puzzle i'd been assembling, a way to get the abuser account email addresses from the device ids i already had from the ByteMe leak. however i only managed to grab emails for about half of all affected devices, as the device api is seemingly just broken for a large number of (older) devices, returning internal error messages (mostly null pointers and array out of index errors) rather than the requested data.
trying to get a potential way to drop another webshell i played around with the photo history and remote photo features, "remotely" taking a photo of myself without touching the phone at all. it definitely felt felt kind of scary, even after all the research ive already done into stalkerware by now. after some futile tries to use the endpoint to upload arbitrary files i gave up, but as Zack has previously [reported on data leaked from the TruthSpy server](https://techcrunch.com/2023/07/20/thetruthspy-stalkerware-forged-passports-millions/) already i wasn't too bummed. looking through all the other endpoints called by the client i ended up finding the final IDOR vuln to complete the data puzzle i'd been assembling, a way to get the abuser account email addresses from the device ids i already had from the ByteMe leak. however i only managed to grab emails for about half of all affected devices, as the device api is seemingly just broken for a large number of (older) devices, returning internal error messages (mostly null pointers and array out of index errors) rather than the requested data.
{% figure { src: '/img/posts/fuckstalkerware-4/tts-selfie.jpg', alt: 'a low resolution selfie of me covering my face with one hand doign the peace sign and holding my other hand up in the air. i am wearing a merch piece from the musician femtanyl, a long sleeve and headphones', caption: 'the hands free selfie i remotely took using TruthSpy' } %}