The incorrect Firebase configuration usually stems from people trying to have the frontend write database entries directly, however these developers usually had an old-school backend sending structured objects to Firebase, so that issue was kinda mitigated.

>I'd heard of sqlmap but I didn't realize it was so good

The blog correctly explains how it has become pretty useless in our age where noone writes their own database integration anymore and everyone uses off-the-shelf components, but man... I remember a time when it felt like literally every sufficiently complex web service was vulnerable to sql injection. You could write a small wrapper for sqlmap, hook it up to the results of a scraper, let it run over night on every single piece of data sent to the server and the next day you'd have a bunch of entry points to choose from. It even handled WAFs to some degree. I'm out of it-sec for several years now, but I still remember every single command line argument for sqlmap like it was yesterday.

I agree, I'm blown away at the level to which this kind of probing and exfiltration has been abstracted. Not quite surprised that years of iteration have led to this, but still, I didn't realize it'd become this easy.

"I'd heard of sqlmap but I didn't realize it was so good that you can just hand it a URL that hits the database and the tool basically figures out from there how to dump the database contents if there's any SQL injection vulnerability."

If there's one lesson I'd convey to people about security it is do not underestimate your foes. They've been building tools for decades just like any other discipline.

Tech to find a hole in your system that lets you run an arbitrary-but-constrained fragment of shell code that can put a small executable on to the system that puts a larger executable on that lifts itself up to root and also joins a centralized command-and-control server with the ability to push arbitrary code across entire clusters of owned systems is not some sort of bizarre, exotic technology that people only dream of... it's off-the-shelf tech. It's a basic building block. Actually sophisticated attackers build up from there.

If $YOU're operating on the presumption I see so often that the script kiddies blind-firing Wordpress vulnerabilities at servers is the height of attacker's sophistication $YOU are operating at an unrecoverable disadvantage against these people.

sqlmap not only figures out how to dump the DB, they even provide a handy "shell" mode that parses SQL, converts it into an injection payload, and executes it on the server. It feels just like having a mysql or sqlite etc. shell. It even supports things like reading files and executing commands (!) if the server supports them (and if the DB user has the appropriate credentials).

Even better, it knows how to exploit blind SQLi and has a number of tricks for doing so: it can often tell if a query is succeeding or failing based on HTTP error codes, and it will do things like try various SLEEP() injections to see if it can hang the server. If it finds any blind SQLi opportunities, it has the ability to dump the entire database *one bit at a time* by just doing a ton of requests in parallel.

You can actually hand it a file full of HTTP request headers and it'll automatically figure out where the potential injection points are, and send a bunch of requests formatted identically to the provided headers. You can practically automate SQL injection testing with a suitable MITM proxy and some scripting.

It has options for disguising requests, for bypassing WAFs, for submitting requests using custom protocols, and a ton more. Just a really well designed tool overall.

this php webserver, its no wonder

I'm not familiar with this app but based on the read, it sounds like they're essentially relying on someone to sneak into the target's phone, install an apk with a 'Settings' logo, where you grant it all permissions (I assume the installer facilitates the process of manually granting full permissions for each permissions type and disabling battery optimization). Android does allow you to effectively delegate full permissions to an app like that, albeit in a manual way.

I think setting up your own evil-proxy or evil-wifi-hotspot and periodically connecting your phone to them may help in the detection of these and many other phone home malware. I am getting closer to the paranoia threshold to almost give it a try.

Yeah this whole exercise was completely illegal and I'm surprised this person publicly (and proudly) blogged about it like this.

They probably need to engage an attorney now.

That would be an amusing exercise in self-incrimination & discovery pain for Catwatchful. They would also have to quantify business losses, which requires admitting the value of an illicit enterprise. But YOLO am I right? LFG!

About half of hacking articles are just fake things people claim to have done but didn’t actually happen and no one checks on it, and conveniently by the time they publish the exploit was “fixed”. So you can’t verify for yourself anyway.

Without hard proof that the author did what they said they did, you have no real case. This particular story already sounds far fetched but makes good fantasy.

Considering that it the db isn't public and the disclosures are listed at the bottom, before the publication, this is mostly white hat and helps the company they target. More and more businesses are accepting the help when they are given it, such as their response to put a WAF in place. I do agree you shouldn't use your Christian name in these sorts of situations since priors have not been established with the targetted company; however Catwatchful has no impetuous to pursue meaningless charges for a stalker app as there are most likely no damages unless the service providers actually respond, which they most likely won't. Nothing ever happens to these people and do you think datacenters/hosts/providers really care about anything other than DMCA complaints? (report illicit/illegal content to a host provider that isn't copyright protected and wait.. you will be waiting long after your teeth have fallen out)

Do you really think that the users of a stalker app care if the app got "hacked" once or twice? Do you also think that the app makers themselves really want to remind the legal world that this stuff is legal when i bet you >50% of their users probably installed it on devices that aren't theirs? IDK, personally I would avoid the law at all costs if I released something this shady.

As someone noted, there is the issue of jurisdiction.

But Daigle probably did consider being liable and what would be morally justified.

It must have been tempting to try to use the Catwatchful app to notify the victims that they are being stalked. E.g., by getting phone numbers or social media handles and then SMS/DM the victims (if the app reveals the victims handles in the recorded conversations)

Or getting the IMEI numbers and handing them over to network operators or local authorities who could do the notification.

It would probably help many victims, but it could go wrong in some cases.

They'll usually get the bases for already existing things and then add in their own stuff at a much lower quality.

I'd be willing to bet that getting their user's passwords is part of their goal. So they would need to be stored somewhere.

They probably just didn't care to

Something I've learned over the years is that even very talented developers can be really bad at security.

In many cases it's just not something that's taught at school or that is covered in training. So it's a mindset that just isn't there, even when they're great at other parts of the craft.

If you're building anything that is going to be exposed to the public Internet and you aren't, at some point, going through the exercise of "how can people break or abuse or hack this" then you're missing a step for sure.

Malware developers often prioritize functionality and speed-to-market over security hygiene, operating under the "security through obscurity" fallacy that nobody will bother attacking their infrastructure.

How did you diagnose the issue? My iPhone feels like an appliance, and an increasingly slow and buggy one at that!