Airscanner Mobile Security Advisory #07062901:
FlexiSPY Victim/User Database Exposure (Full world readable access to ALL SMS/Emails/Voice data from victims/users)

Product:
FlexiSpy.com Website

Platform:
NA

Requirements:
NA

Credits:
Seth Fogie
Airscanner Mobile Security
http://www.airscanner.com
June 14, 2007

Risk Level:
High - Sensitive information disclosure for all devices on which FlexiSpy is installed

Summary:
FlexiSpy.com's user administration web application contains a critical bug that allows anyone to view anyone elses captured voice, SMS, email, or location. This can be accessed via a 'Demo' account from the FlexiSpy.com website.

Details:
FlexiSpy is a program sold as 'Spy Software for mobile / cell phones' with which you can 'Catch cheating husbands wives and employees'. The software comes in several version, the most powerful of which has the following features:

When an event occurs, the information related to that event is uploaded to their secure server. The person who purchased the software can then log into the website and review the information. The following figure is a screenshot taken from the 'Demo' page, which gives prospective users a chance to see what kind of data is collected.

Figure 1: Screenshot of administration screen for 'demo' user

To view information about an item, a user has to click on the link under the 'Type' column, which will then show the information related to that email, SMS, or call. Various bits of data are collected, such as callers phone number, the contents of the SMS message, and copies of the text in captured emails.


Figure 2: Example of capture email

Each item is assigned a specific id, which is contained in the URL:

http://flexispy.com/report.do?act=doGetDetail&id=2471018

The problem with the application is that the ID number can be manually changed (e.g. http://flexispy.com/report.do?act=doGetDetail&id=2471000), thus allowing access to other users data. As a result, people who have the FlexiSpy program loaded on their phones are not only being subjected to the spying activities of the person who installed the spyware, but also have potentially been exposed to anyone who found this vulnerability.

Note:

Given that the numbers are for the most part sequentially assigned, a malicious hacker could have created an application that downloaded the details for each and every item stored in the database for each and every user/victim of the software.

Workaround:
Uninstall the software from the victim's phone. Delete all existing messages that are stored on FlexiSpy's server.

Update (070629):
According to an anonymous source who contacted us after this was posted on Bugtraq, the FlexiSPY web application was previously discovered by numerous people and has been exploited repeatedly.

Copyright (c) 2007 Airscanner Corp.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of Airscanner Corp. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please contact Airscanner Corp. for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use on an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.