http://blog. <http://blog.washingtonpost.com/securityfix/2007/07/cell_phone_spying_servic e_leak.html?nav=rss_blog> washingtonpost.com/securityfix/2007/07/cell_phone_spying_service_leak.html?n av=rss_blog Cell Phone Spying Service Leaking Data?
http://it.slashdot. <http://it.slashdot.org/article.pl?sid=07/07/06/142225> org/article.pl?sid=07/07/06/142225 Last week, the geek news world was abuzz with news of a spying service that lets people intercept text messages, call logs, e-mails and other information from BlackBerry and Windows Mobile-equipped smart phones. But it appears the privacy threat is even bigger: According to evidence unearthed by at least one security researcher, the company that offers the intercept service has left its database freely viewable to anyone with a Web browser. http://www.flexispy <http://www.flexispy.com/> .com/ The service at issue, FlexiSPY, is touted as one that can help customers "catch cheating wives or cheating husbands, stop employee espionage, protect children, make automatic backups, bug meetings rooms [sic] etc." The company even offers a demo account that potential customers can use to check out a sampling of intercepted communications. http://blog. <http://blog.washingtonpost.com/securityfix/flexi.jpg> washingtonpost.com/securityfix/flexi.jpg One security researcher found that by using this application, people are exposing the records of those they're spying on to the entire world. The trouble stems from the fact that each item in the database is assigned a specific numeric ID, which is contained in the URL. According to this advisory, penned by a researcher at AirScanner, a mobile and wireless security company, by simply modifying that address, the demo account allows full access to the database going back at least until the middle of last year. http://airscanner. <http://airscanner.com/security/07062901_flexispy.htm> com/security/07062901_flexispy.htm http://www.airscann <http://www.airscanner.com/> er.com/ http://www.vervata. <http://www.vervata.com/index.htm> com/index.htm I contacted Vervata LTD, the London-based company that owns FlexiSPY, but have yet to hear back. But AirScanner's advisory has been live since June 14, and the FlexiSPY phone records database still appears to be wide open. An update posted to that advisory on June 29 states: "According to an anonymous source who contacted us after this was posted on Bugtraq, the FlexiSPY web application was previously discovered by numerous people and has been exploited repeatedly." Update, 10:56 a..m: I spoke by phone this morning with Atir Raihan, Vervata's managing director. Raihan said the company was not aware of any vulnerability in the company's database, and that when visitors type in custom URLs after logging into the FlexiSPY demo account, they are automatically kicked back to the login page. Security Fix tested his claim and found it to be true, although up until at least June 28, the hack detailed by AirScanner did indeed work as described. [Non-text portions of this message have been removed] -------------------------- Want to discuss this topic? Head on over to our discussion list, [EMAIL PROTECTED] -------------------------- Brooks Isoldi, editor [EMAIL PROTECTED] http://www.intellnet.org Post message: osint@yahoogroups.com Subscribe: [EMAIL PROTECTED] Unsubscribe: [EMAIL PROTECTED] *** FAIR USE NOTICE. This message contains copyrighted material whose use has not been specifically authorized by the copyright owner. OSINT, as a part of The Intelligence Network, is making it available without profit to OSINT YahooGroups members who have expressed a prior interest in receiving the included information in their efforts to advance the understanding of intelligence and law enforcement organizations, their activities, methods, techniques, human rights, civil liberties, social justice and other intelligence related issues, for non-profit research and educational purposes only. We believe that this constitutes a 'fair use' of the copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use this copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/osint/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/osint/join (Yahoo! ID required) <*> To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/