mSpy, the makers of a software-as-a-service product that claims to help more than a million paying customers spy on the mobile devices of their kids and partners, has leaked millions of sensitive records online, including passwords, call logs, text messages, contacts, notes and location data secretly collected from phones running the stealthy spyware.
Less than a week ago, security researcher Nitish Shah directed KrebsOnSecurity to an open database on the Web that allowed anyone to query up-to-the-minute mSpy records for both customer transactions at mSpy’s site and for mobile phone data collected by mSpy’s software. The database required no authentication.
This kind of software is pretty gross to begin with. I’m not a parent, so I might be completely off-base here, but it seems to me that there’s an extraordinary amount of risk that is assumed in collecting everything your kid does relative to the actual benefits you might get out of doing so. Spying on your partner — or, potentially, employees — seems completely unethical.
Shah said when he tried to alert mSpy of his findings, the company’s support personnel ignored him.
“I was chatting with their live support, until they blocked me when I asked them to get me in contact with their CTO or head of security,” Shah said.
KrebsOnSecurity alerted mSpy about the exposed database on Aug. 30. This morning I received an email from mSpy’s chief security officer, who gave only his first name, “Andrew.”
This is a chickenshit response. Regardless of the ethical implications of mSpy’s spyware, a report of a security breach should be treated with more gravity than this. Why wouldn’t they prioritize this? Are they so afraid of making mistakes that they evade acknowledging, fixing, or apologizing for them?
In general, it is appalling to me the lengths that individuals and organizations alike will go to in order to cover up or hide from a mistake or a controversy. If you have any integrity whatsoever, you own your values and your actions. If they are seen as problematic, you try to understand why. If you want to stand by those actions, you should be able to produce evidence for your defence. But change can also be cathartic for everyone involved. There is no honour or benefit in trying to hide from actions that are being questioned.