Hacker Exposes pcTattletale: Spyware Used by Hotels Compromised

A hacker breached the website of the spyware application pcTattletale, which was found to be installed on registration systems of several Wyndham hotel chain locations in the United States. The attacker posted offensive content on the official page and leaked more than a dozen archives containing databases and the program’s source code.

The developers marketed pcTattletale as “a program for monitoring employee and child activity.” However, according to TechCrunch, a vulnerability in the application’s API also allowed it to steal confidential data from guests and client information recorded in registration systems.

Renowned researcher Eric Daigle was the first to discover the presence of pcTattletale spyware in the operational systems of Wyndham hotels. He published a detailed analysis, explaining that the critical vulnerability he found in the API allowed attackers to access screenshots secretly taken by the application on victims’ devices.

Three years ago, Vice reported that pcTattletale could take real-time screenshots from Android devices.

Daigle repeatedly but unsuccessfully attempted to contact the application’s developers, urging them to promptly address the issue. Unfortunately, his appeals were ignored.

The activities of pcTattletale’s creators are particularly scandalous against the backdrop of an old YouTube video where Brian Fleming, the program’s author, almost openly refers to his creation as “spyware.” The video was published seven years ago.

“Download the free trial version and install it on your home Windows computer, and you’ll see it works fantastically. It’s amazing how the application records keystrokes, allowing you to monitor any activity of your children or employees on the PC.”

Despite the developer’s words, Microsoft still classifies pcTattletale as malware. After Eric Daigle publicized the critical vulnerability, a hacker took it as a challenge. He claimed not to have used the vulnerability Daigle described. Instead, he allegedly employed a Python exploit to extract AWS credentials through the application’s SOAP interface, enabling him to obtain the source code.

Initially, BleepingComputer reached out to Brian Fleming for an explanation, but no immediate response was received.

Later, the hacker released a video showing what he claimed was the owner of pcTattletale attempting to restore the hacked site via FTP. Amusingly, this video was supposedly obtained using pcTattletale spyware installed on Fleming’s device.

Currently, the official website of the spyware application is non-functional. The popular breach tracking service Have I Been Pwned has recorded details of the incident.

According to HIBP head Troy Hunt, approximately 100 GB of data, including device information, MD5 password hashes, and intercepted SMS messages for 139,000 unique email addresses, were exposed in the attack. About 58% of these addresses had already been compromised in previous incidents recorded by HIBP.

Additionally, Troy Hunt revealed that over a thousand subscribers of his Have I Been Pwned service would be notified that their personal data had been compromised as a result of the pcTattletale breach.