Taking over 60k spyware user accounts with SQL injection
36 comments
·July 3, 2025mtlynch
sigmoid10
>I'd heard of sqlmap but I didn't realize it was so good
The blog correctly explains how it has become pretty useless in our age where noone writes their own database integration anymore and everyone uses off-the-shelf components, but man... I remember a time when it felt like literally every sufficiently complex web service was vulnerable to sql injection. You could write a small wrapper for sqlmap, hook it up to the results of a scraper, let it run over night on every single piece of data sent to the server and the next day you'd have a bunch of entry points to choose from. It even handled WAFs to some degree. I'm out of it-sec for several years now, but I still remember every single command line argument for sqlmap like it was yesterday.
jerf
"I'd heard of sqlmap but I didn't realize it was so good that you can just hand it a URL that hits the database and the tool basically figures out from there how to dump the database contents if there's any SQL injection vulnerability."
If there's one lesson I'd convey to people about security it is do not underestimate your foes. They've been building tools for decades just like any other discipline.
Tech to find a hole in your system that lets you run an arbitrary-but-constrained fragment of shell code that can put a small executable on to the system that puts a larger executable on that lifts itself up to root and also joins a centralized command-and-control server with the ability to push arbitrary code across entire clusters of owned systems is not some sort of bizarre, exotic technology that people only dream of... it's off-the-shelf tech. It's a basic building block. Actually sophisticated attackers build up from there.
If $YOU're operating on the presumption I see so often that the script kiddies blind-firing Wordpress vulnerabilities at servers is the height of attacker's sophistication $YOU are operating at an unrecoverable disadvantage against these people.
supriyo-biswas
The incorrect Firebase configuration usually stems from people trying to have the frontend write database entries directly, however these developers usually had an old-school backend sending structured objects to Firebase, so that issue was kinda mitigated.
RankingMember
I agree, I'm blown away at the level to which this kind of probing and exfiltration has been abstracted. Not quite surprised that years of iteration have led to this, but still, I didn't realize it'd become this easy.
ceva
Someone who is in malware business will 100% not sue you for what you did, i wouldn't worry about that at all. You did a good job!
bspammer
It's unexpected to me that someone with the technical knowhow to build spyware like this and a nice web interface for it, made basic mistakes like storing passwords in plaintext and piping unescaped user input into database queries.
imzadi
I'd be willing to bet that getting their user's passwords is part of their goal. So they would need to be stored somewhere.
vpShane
[dead]
JohnMakin
some time ago I was having super weird phone issues (iphone) and narrowed it down to one of these services. I clearly had been 0 click vuln’d because I couldnt fathom how else it could have been infected, but had no idea who or why, still dont know. felt extremely gross and I have absolutely zero sympathy for any users or operators of these services and think this researcher was far too polite about it.
ryanrasti
> Q: Can I monitor a phone without them knowing?
> A: Yes, you can monitor a phone without them knowing with mobile phone monitoring software. The app is invisible and undetectable on the phone. It works in a hidden and stealth mode.
How is that even possible on a modern Android? I'd think one of the explicit goals of the security model would be to prevent this.
ridgewell
I'm not familiar with this app but based on the read, it sounds like they're essentially relying on someone to sneak into the target's phone, install an apk with a 'Settings' logo, where you grant it all permissions (I assume the installer facilitates the process of manually granting full permissions for each permissions type and disabling battery optimization). Android does allow you to effectively delegate full permissions to an app like that, albeit in a manual way.
afarah1
Camera and microphone usage should be hard-wired to an LED
Polizeiposaune
and a switch which has a physical air gap when off.
roland35
I wonder if it would show up in periodic permissions scans done by android. Hopefully!
But as the TechCrunch author stated, oftentimes alerting the stalker can be dangerous for the victim.
blueplanet200
From sqlmap
> Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program"
I don't know the legal footing these spyware apps stand on, but this blog post seems like exhibit A if Catwatchful ever decided to sue the author, or press criminal charges. Hacking, even for reasons that seem morally justified, is still illegal.
rendall
That would be an amusing exercise in self-incrimination & discovery pain for Catwatchful. They would also have to quantify business losses, which requires admitting the value of an illicit enterprise. But YOLO am I right? LFG!
VWWHFSfQ
Yeah this whole exercise was completely illegal and I'm surprised this person publicly (and proudly) blogged about it like this.
They probably need to engage an attorney now.
mtlynch
The server they compromised is essentially a command and control server for an illegal botnet.
Are there documented cases of botnet owners trying to sue or get law enforcement to prosecute someone for infiltrating their botnet?
I'd be more concerned about extralegal retaliation from people in the malware ecosystem.
dylan604
Hey, that's my server, and is totally 100% legit. I was unaware that I was pwnd and someone was using it as a C&C server. I'm now suing you for hacking my server, as you could be the person that installed the C&C server. After all, you are an admitted hacker.
Stranger things have won in court
lawlessone
Class action lawsuit from a group of stalkers?
rendall
Your theory is that Daigle is at risk of a Canadian prosecutor hauling him into court based on the criminal complaint of a Uruguayan purveyor of stalkerware? That's novel.
eddythompson80
I think the theory is that Daigle has publicly professed to committing a crime sharing all their steps and receipts. It'll be unheard of of course if a Uruguayan purveyor of stalkerware take him to court.
However, next time he talks about emulating Nintendo games or whatever, I'm sure Nintendo lawyers would love to bring it up and point "how the defendant brazenly defies law and order with predetermination malice".
Not to begin to even mention now some shady criminal might hold a grudge against Daigle. I hope his security is air tight.
There is a reason these reports are usually anonymous or follow responsible disclosure.
SoftTalker
Author is in Canada, not sure if/how that changes things.
deadbabe
About half of hacking articles are just fake things people claim to have done but didn’t actually happen and no one checks on it, and conveniently by the time they publish the exploit was “fixed”. So you can’t verify for yourself anyway.
Without hard proof that the author did what they said they did, you have no real case. This particular story already sounds far fetched but makes good fantasy.
munchler
FWIW, this story has been verified by a reporter at TechCrunch, who says he used the dumped database to identify the spyware admin in Uruguay.
https://techcrunch.com/2025/07/02/data-breach-reveals-catwat...
deadbabe
Doesn’t change what I said
esaym
> The live photo and microphone options are particularly creepy, successfully taking a photo or recording and uploading it for me to view near-instantly on the control panel without giving the phone user the slightest sign that anything is amiss
Oh dear.
>Intercepting my test phone’s traffic confirms that the files are directly uploaded to Firebase, and reveals that the commands for features like live photos are also handled through FCM. This is going to reduce our attack surface by a lot - nothing in Firebase is going to be IDORable or vulnerable to SQLI, and some quick testing eliminates any of the usual traps like open storage buckets or client-side service account credentials.
I was surprised at how the malware devs made such sloppy mistakes but being on Firebase protected them from more severe vulnerablities. I've seen other vendors get popped by configuring Firebase incorrectly, but it seems like if you configure the basics right, it cuts down the attack surface a lot.