Airscanner Mobile Security Advisory #07062901:
FlexiSPY Victim/User Database Exposure (Full world readable access to
ALL SMS/Emails/Voice data from victims/users)
Product: FlexiSpy.com Website
Airscanner Mobile Security
June 14, 2007
High - Sensitive information disclosure for all devices on which
FlexiSpy is installed
FlexiSpy.com's user administration web application contains a critical
bug that allows anyone to view anyone elses captured voice, SMS, email,
or location. This can be accessed via a 'Demo' account from the
FlexiSpy is a program sold as 'Spy Software for mobile / cell phones'
with which you can 'Catch cheating husbands wives and employees'. The
software comes in several version, the most powerful of which has the
SMS Logging (incoming/outgoing)
Email Logging (incoming/outgoing)
Call History (incoming/outgoing)
Call Duration (incoming/outgoing)
Contact Name in Address book linked to each call/sms
When an event occurs, the information related to that event is uploaded
to their secure server. The person who purchased the software can then
log into the website and review the information. The following figure is
a screenshot taken from the 'Demo' page, which gives prospective users a
chance to see what kind of data is collected.
Figure 1: Screenshot of administration screen for 'demo' user
To view information about an item, a user has to click on the link under
the 'Type' column, which will then show the information related to that
email, SMS, or call. Various bits of data are collected, such as callers
phone number, the contents of the SMS message, and copies of the text in
Figure 2: Example of capture email
Each item is assigned a specific id, which is contained in the URL:
The problem with the application is that the ID number can be manually
changed (e.g. http://flexispy.com/report.do?act=doGetDetail&id=2471000),
thus allowing access to other users data. As a result, people who have
the FlexiSpy program loaded on their phones are not only being subjected
to the spying activities of the person who installed the spyware, but
also have potentially been exposed to anyone who found this vulnerability.
Given that the numbers are for the most part sequentially assigned, a
malicious hacker could have created an application that downloaded the
details for each and every item stored in the database for each and
every user/victim of the software.
Uninstall the software from the victim's phone. Delete all existing
messages that are stored on FlexiSpy's server.
Copyright (c) 2007 Airscanner Corp.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of Airscanner Corp. If you wish to reprint the whole or
any part of this alert in any other medium other than electronically,
please contact Airscanner Corp. for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use on an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,