Airscanner Advisory #07062901: FlexiSPY Victim/User Database Exposure (Full world readable access to ALL SMS/Emails/Voice data from victims/users)

["Airscanner Corp." <seth () airscanner com>]

http://airscanner.com/security/07062901_flexispy.htm

Airscanner Mobile Security Advisory #07062901:
FlexiSPY Victim/User Database Exposure (Full world readable access to 
ALL SMS/Emails/Voice data from victims/users)
Product: FlexiSpy.com Website

Platform:
NA

Requirements:
NA

Credits:
Seth Fogie
Airscanner Mobile Security
http://www.airscanner.com
June 14, 2007

Risk Level:
High - Sensitive information disclosure for all devices on which 
FlexiSpy is installed

Summary:
FlexiSpy.com's user administration web application contains a critical 
bug that allows anyone to view anyone elses captured voice, SMS, email, 
or location. This can be accessed via a 'Demo' account from the 
FlexiSpy.com website.

Details:
FlexiSpy is a program sold as 'Spy Software for mobile / cell phones' 
with which you can 'Catch cheating husbands wives and employees'. The 
software comes in several version, the most powerful of which has the 
following features:

SMS Logging (incoming/outgoing)

Email Logging (incoming/outgoing)

Call History (incoming/outgoing)

Call Duration (incoming/outgoing)

Contact Name in Address book linked to each call/sms



When an event occurs, the information related to that event is uploaded 
to their secure server. The person who purchased the software can then 
log into the website and review the information. The following figure is 
a screenshot taken from the 'Demo' page, which gives prospective users a 
chance to see what kind of data is collected.

Figure 1: Screenshot of administration screen for 'demo' user

To view information about an item, a user has to click on the link under 
the 'Type' column, which will then show the information related to that 
email, SMS, or call. Various bits of data are collected, such as callers 
phone number, the contents of the SMS message, and copies of the text in 
captured emails.

Figure 2: Example of capture email

Each item is assigned a specific id, which is contained in the URL:

http://flexispy.com/report.do?act=doGetDetail&id=2471018

The problem with the application is that the ID number can be manually 
changed (e.g. http://flexispy.com/report.do?act=doGetDetail&id=2471000), 
thus allowing access to other users data. As a result, people who have 
the FlexiSpy program loaded on their phones are not only being subjected 
to the spying activities of the person who installed the spyware, but 
also have potentially been exposed to anyone who found this vulnerability.

Note:

Given that the numbers are for the most part sequentially assigned, a 
malicious hacker could have created an application that downloaded the 
details for each and every item stored in the database for each and 
every user/victim of the software.

Workaround:
Uninstall the software from the victim's phone. Delete all existing 
messages that are stored on FlexiSpy's server.

Copyright (c) 2007 Airscanner Corp.

Permission is granted for the redistribution of this alert 
electronically. It may not be edited in any way without the express 
written consent of Airscanner Corp. If you wish to reprint the whole or 
any part of this alert in any other medium other than electronically, 
please contact Airscanner Corp. for permission.

Disclaimer: The information in the advisory is believed to be accurate 
at the time of publishing based on currently available information. Use 
of the information constitutes acceptance for use on an AS IS condition. 
There are no warranties with regard to this information. Neither the 
author nor the publisher accepts any liability for any direct, indirect, 
or consequential loss or damage arising from use of, or reliance on, 
this information.