CybserSecurity News

Tag: Eric Daigle

  • Privacy Paradox: Freedom Chat Exposed User Phone Numbers and Secret PINs in Major Security Breach

    Freedom Chat, an application marketed as a secure messaging platform, has been exposed to serious risk following the discovery of two critical vulnerabilities. Despite assurances of data privacy—including the concealment of users’ phone numbers—researchers identified flaws that allowed access not only to those numbers but also to users’ PIN codes.

    According to researcher Eric Daigle, the vulnerabilities were uncovered last week. He disclosed the findings to TechCrunch after determining that Freedom Chat lacked a public channel for reporting security issues. The publication subsequently contacted the app’s founder, Tanner Haas, who confirmed the incident and outlined the steps taken in response.

    One of the flaws enabled bulk verification of phone numbers to determine which ones were registered on the platform. This technique mirrors an approach previously documented by researchers at the University of Vienna in their study of WhatsApp, where billions of number combinations were tested, resulting in the collection of data on billions of accounts.

    In addition, a separate vulnerability in Freedom Chat led to the exposure of PIN codes that users had set to protect access to the app. By analyzing network traffic, it was possible to observe that the PIN codes of other users sharing the same public channel were returned in server responses. Although these codes were not displayed in the interface, any channel participant could still obtain them.

    Daigle estimates that this flaw could have been used to collect PIN information for nearly two thousand registered users, potentially allowing attackers to bypass app-level protections if a device were stolen.

    The company has since released an update, tightened rate limits on server requests, and automatically reset all PIN codes to prevent unauthorized use. Developers also addressed scenarios in which phone numbers could become visible to other users of the service.

    Previously, Tanner Haas had faced criticism over another application, Converso, which was removed from app stores after security issues were discovered that exposed users’ private messages.

  • Catwatchful Spyware Hacked: Critical Flaw Exposes 62,000 User Logins & Victim Data

    A critical vulnerability has been discovered in the Android spyware app known as Catwatchful, resulting in a significant data breach that compromised the personal information of thousands of users—including the administrator of the service itself. The flaw was identified by Canadian cybersecurity researcher Eric Daigle. Due to a systemic failure, the full contents of Catwatchful’s database, including users’ email addresses and passwords, became publicly accessible. These users had employed the app to secretly monitor other people’s phones.

    Catwatchful masquerades as a parental control application but in reality uploads private data from the victim’s device to a server, granting the installer access to a trove of sensitive information—photos, messages, location data, audio recordings, and even remote control of cameras.

    Such applications are banned from official app stores and require physical access to the target device for installation. As a result, Catwatchful and similar apps are often labeled as stalkerware or spouseware, designed to facilitate unlawful and covert surveillance of partners or family members.

    The Catwatchful breach marks the fifth incident this year involving spyware services falling victim to hacks or data leaks. This event underscores the ongoing proliferation of surveillance software despite its inherent technical vulnerabilities and inadequate security, endangering both the users and their targets.

    According to documents obtained by TechCrunch, the exposed database included over 62,000 client accounts and data from 26,000 infected devices. Most victims were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia, with some entries dating back to 2018.

    Among the leaked records was the personal information of Catwatchful’s administrator, Uruguayan developer Omar Zoky Charkov. His name, phone number, email address, and a direct link to the Google Firebase server hosting victim data were all found in the unprotected database. Charkov’s email address matched contact details listed on his LinkedIn profile, which was hidden shortly after the breach came to light.

    The breach stemmed from a severe misconfiguration in the app’s API. Daigle explained that all deployed versions of the spyware connected to a custom API to transmit data, but the interface lacked any authentication, leaving the database completely exposed to the public.

    After TechCrunch alerted the hosting provider supporting Catwatchful, the developer’s account was temporarily suspended, disrupting the service. However, it was soon restored through HostGator, whose representatives declined to comment on the situation.

    TechCrunch confirmed that Catwatchful stores stolen data on Google’s Firebase cloud platform. Journalists installed the app on a sandboxed virtual device to monitor its network behavior and successfully captured its data transmissions to the Catwatchful server.

    Google was provided with samples of the malware and details of the Firebase server. In response, the company enhanced its Google Play Protect system to detect Catwatchful and alert users of its presence.

    Google representatives stated that an investigation is underway to determine whether Firebase was misused in violation of its terms of service. Should the investigation confirm misconduct, the company pledged to take appropriate action. However, at present, Catwatchful continues to operate on Google’s infrastructure.

    Although Catwatchful claims it cannot be removed, there is a method to detect and uninstall it. Dialing the code “543210” in the standard Phone app and pressing the call button reveals the app, even in hidden mode. This code grants access to the app’s settings and enables users to check for its presence.

    To remove Catwatchful, users can follow general Android spyware removal guidelines or seek assistance from organizations that support victims of digital abuse.