sqlmap https://catwatchful.pink/webservice/servicios.php?operation=getDevice&imei=M6GPYXHZ95ULUFD0
  ...
  sqlmap identified the following injection points

>Intercepting my test phone’s traffic confirms that the files are directly uploaded to Firebase, and reveals that the commands for features like live photos are also handled through FCM. This is going to reduce our attack surface by a lot - nothing in Firebase is going to be IDORable or vulnerable to SQLI, and some quick testing eliminates any of the usual traps like open storage buckets or client-side service account credentials.

I was surprised at how the malware devs made such sloppy mistakes but being on Firebase protected them from more severe vulnerablities. I've seen other vendors get popped by configuring Firebase incorrectly, but it seems like if you configure the basics right, it cuts down the attack surface a lot.

• sigmoid10

  07/08/2025

  >I'd heard of sqlmap but I didn't realize it was so good

  The blog correctly explains how it has become pretty useless in our age where noone writes their own database integration anymore and everyone uses off-the-shelf components, but man... I remember a time when it felt like literally every sufficiently complex web service was vulnerable to sql injection. You could write a small wrapper for sqlmap, hook it up to the results of a scraper, let it run over night on every single piece of data sent to the server and the next day you'd have a bunch of entry points to choose from. It even handled WAFs to some degree. I'm out of it-sec for several years now, but I still remember every single command line argument for sqlmap like it was yesterday.

  • technion

    07/08/2025

    Ive always admired hn for bringing me people in very different spaces. Of the development teams I've worked with in the last year pretty much all of them were writing injectable code by default. Ive got an email from an executive in a saas telling me they aren't worried because they geofilter china.

    • transcriptase

      07/09/2025

      The real security pros set their keyboard language to Russian.

      • carlmr

        07/09/2025

        Isn't it enough to have the Cyrillic keyboard installed?

      • HenryBemis

        07/09/2025

        oh damn you're showing your age here!! :)

    • HenryBemis

      07/09/2025

      Ship, ship, ship, and when we get discovered we/you/they write a nice corp spin email "we deeply care for our customers, acted responsibly to inform our clients promptly and worked fast to mitigate all relevant risks" (I've read enough of this BS comms so I don't need LLMs to make one for me). Right?

    • Lucasoato

      07/08/2025

      Implying Chinese hackers can't use a VPN to bypass that geofilter lol

      • GuB-42

        07/09/2025

        Even more ironic considering that China already geofences itself and using a VPN it pretty much a requirements if you want to communicate with the outside world.

        Chances are that these hackers are bypassing that filter without even realizing it.

        • jojobas

          07/09/2025

          Chinese state-employed hackers don't have to worry about VPNs.

          • GuB-42

            07/09/2025

            I wonder how many of these "state-employed hackers" are just random criminals and their bots, doing regular criminal stuff like stealing money from bank accounts.

            I easily see people claiming they are the target of a foreign government because it gives them importance and it is less shameful than a spam botnet.

    • fancyswimtime

      07/08/2025

      what?

• jerf

  07/08/2025

  "I'd heard of sqlmap but I didn't realize it was so good that you can just hand it a URL that hits the database and the tool basically figures out from there how to dump the database contents if there's any SQL injection vulnerability."

  If there's one lesson I'd convey to people about security it is do not underestimate your foes. They've been building tools for decades just like any other discipline.

  Tech to find a hole in your system that lets you run an arbitrary-but-constrained fragment of shell code that can put a small executable on to the system that puts a larger executable on that lifts itself up to root and also joins a centralized command-and-control server with the ability to push arbitrary code across entire clusters of owned systems is not some sort of bizarre, exotic technology that people only dream of... it's off-the-shelf tech. It's a basic building block. Actually sophisticated attackers build up from there.

  If $YOU're operating on the presumption I see so often that the script kiddies blind-firing Wordpress vulnerabilities at servers is the height of attacker's sophistication $YOU are operating at an unrecoverable disadvantage against these people.

• supriyo-biswas

  07/08/2025

  The incorrect Firebase configuration usually stems from people trying to have the frontend write database entries directly, however these developers usually had an old-school backend sending structured objects to Firebase, so that issue was kinda mitigated.

• nneonneo

  07/09/2025

  sqlmap not only figures out how to dump the DB, they even provide a handy "shell" mode that parses SQL, converts it into an injection payload, and executes it on the server. It feels just like having a mysql or sqlite etc. shell. It even supports things like reading files and executing commands (!) if the server supports them (and if the DB user has the appropriate credentials).

  Even better, it knows how to exploit blind SQLi and has a number of tricks for doing so: it can often tell if a query is succeeding or failing based on HTTP error codes, and it will do things like try various SLEEP() injections to see if it can hang the server. If it finds any blind SQLi opportunities, it has the ability to dump the entire database *one bit at a time* by just doing a ton of requests in parallel.

  You can actually hand it a file full of HTTP request headers and it'll automatically figure out where the potential injection points are, and send a bunch of requests formatted identically to the provided headers. You can practically automate SQL injection testing with a suitable MITM proxy and some scripting.

  It has options for disguising requests, for bypassing WAFs, for submitting requests using custom protocols, and a ton more. Just a really well designed tool overall.

• RankingMember

  07/08/2025

  I agree, I'm blown away at the level to which this kind of probing and exfiltration has been abstracted. Not quite surprised that years of iteration have led to this, but still, I didn't realize it'd become this easy.

• tonyhart7

  07/09/2025

  this php webserver, its no wonder

• pinoy420

  07/09/2025

  [dead]

It's unexpected to me that someone with the technical knowhow to build spyware like this and a nice web interface for it, made basic mistakes like storing passwords in plaintext and piping unescaped user input into database queries.

• imzadi

  07/08/2025

  I'd be willing to bet that getting their user's passwords is part of their goal. So they would need to be stored somewhere.

• sbarre

  07/09/2025

  Something I've learned over the years is that even very talented developers can be really bad at security.

  In many cases it's just not something that's taught at school or that is covered in training. So it's a mindset that just isn't there, even when they're great at other parts of the craft.

  If you're building anything that is going to be exposed to the public Internet and you aren't, at some point, going through the exercise of "how can people break or abuse or hack this" then you're missing a step for sure.

• ethan_smith

  07/09/2025

  Malware developers often prioritize functionality and speed-to-market over security hygiene, operating under the "security through obscurity" fallacy that nobody will bother attacking their infrastructure.

• andoando

  07/08/2025

  They probably just didn't care to

• vpShane

  07/08/2025

  [dead]

> Q: Can I monitor a phone without them knowing?

> A: Yes, you can monitor a phone without them knowing with mobile phone monitoring software. The app is invisible and undetectable on the phone. It works in a hidden and stealth mode.

How is that even possible on a modern Android? I'd think one of the explicit goals of the security model would be to prevent this.

• ridgewell

  07/08/2025

  I'm not familiar with this app but based on the read, it sounds like they're essentially relying on someone to sneak into the target's phone, install an apk with a 'Settings' logo, where you grant it all permissions (I assume the installer facilitates the process of manually granting full permissions for each permissions type and disabling battery optimization). Android does allow you to effectively delegate full permissions to an app like that, albeit in a manual way.

  • afarah1

    07/08/2025

    Camera and microphone usage should be hard-wired to an LED

    • Polizeiposaune

      07/08/2025

      and a switch which has a physical air gap when off.

      • itslennysfault

        07/08/2025

        Thanks for your suggestion, but at this time the NSA cannot allow this change.

        • aitchnyu

          07/09/2025

          Mics listen for voice commands all the time and some cameras can be activated without their LEDs.

        • ryanrasti

          07/08/2025

          Haha! That gave me a good laugh.

      • MisterTea

        07/08/2025

        "But the switch will compromise its water tightness like the headphone jack does!" - every mobile sycophant.

        • bigfatkitten

          07/09/2025

          Or worse: It might add 15 cents to the BOM!

        • jojobas

          07/09/2025

          Magnets and reed switches? Crazy talk!

  • roland35

    07/08/2025

    I wonder if it would show up in periodic permissions scans done by android. Hopefully!

    But as the TechCrunch author stated, oftentimes alerting the stalker can be dangerous for the victim.

• boznz

  07/08/2025

  I think setting up your own evil-proxy or evil-wifi-hotspot and periodically connecting your phone to them may help in the detection of these and many other phone home malware. I am getting closer to the paranoia threshold to almost give it a try.

  • lyu07282

    07/09/2025

    Then you would've seen some encrypted traffic to firebase which probably includes a bunch of legitimate apps on your phone too.

The TechCrunch article says

> Google said it added new protections for Google Play Protect

But the screenshot of the device settings in the article shows that the app has you turn off Google Play Protect. So does this even do anything?

Meanwhile Google (via its firebase brand) is apparently continuing to act as a host for this app...

some time ago I was having super weird phone issues (iphone) and narrowed it down to one of these services. I clearly had been 0 click vuln’d because I couldnt fathom how else it could have been infected, but had no idea who or why, still dont know. felt extremely gross and I have absolutely zero sympathy for any users or operators of these services and think this researcher was far too polite about it.

• normie3000

  07/09/2025

  How did you diagnose the issue? My iPhone feels like an appliance, and an increasingly slow and buggy one at that!

  • DownGoat

    07/09/2025

    Reboot the phone. This sort of stuff is not really possible on iPhone. None of the fancy spyware on iPhone survives reboots.

    • normie3000

      07/12/2025

      > Reboot the phone.

      This doesn't sound like a satisfying step in debugging. On the other hand, confirms my appliance feelings.

    • JohnMakin

      07/09/2025

      this was apple's advice as well, but alas, the only thing that remediated it was a full factory reset. /shrug

From sqlmap

> Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program"

I don't know the legal footing these spyware apps stand on, but this blog post seems like exhibit A if Catwatchful ever decided to sue the author, or press criminal charges. Hacking, even for reasons that seem morally justified, is still illegal.

• rendall

  07/08/2025

  That would be an amusing exercise in self-incrimination & discovery pain for Catwatchful. They would also have to quantify business losses, which requires admitting the value of an illicit enterprise. But YOLO am I right? LFG!

• nelgaard

  07/09/2025

  As someone noted, there is the issue of jurisdiction.

  But Daigle probably did consider being liable and what would be morally justified.

  It must have been tempting to try to use the Catwatchful app to notify the victims that they are being stalked. E.g., by getting phone numbers or social media handles and then SMS/DM the victims (if the app reveals the victims handles in the recorded conversations)

  Or getting the IMEI numbers and handing them over to network operators or local authorities who could do the notification.

  It would probably help many victims, but it could go wrong in some cases.

• SLWW

  07/08/2025

  Considering that it the db isn't public and the disclosures are listed at the bottom, before the publication, this is mostly white hat and helps the company they target. More and more businesses are accepting the help when they are given it, such as their response to put a WAF in place. I do agree you shouldn't use your Christian name in these sorts of situations since priors have not been established with the targetted company; however Catwatchful has no impetuous to pursue meaningless charges for a stalker app as there are most likely no damages unless the service providers actually respond, which they most likely won't. Nothing ever happens to these people and do you think datacenters/hosts/providers really care about anything other than DMCA complaints? (report illicit/illegal content to a host provider that isn't copyright protected and wait.. you will be waiting long after your teeth have fallen out)

  Do you really think that the users of a stalker app care if the app got "hacked" once or twice? Do you also think that the app makers themselves really want to remind the legal world that this stuff is legal when i bet you >50% of their users probably installed it on devices that aren't theirs? IDK, personally I would avoid the law at all costs if I released something this shady.

  • SahAssar

    07/09/2025

    > Considering that it the db isn't public and the disclosures are listed at the bottom, before the publication, this is mostly white hat and helps the company they target

    The never disclosed to the target company (not that I think they should have), this is definitely not white hat. This is essentially the grey-hat version of vigilantism.

    They disclosed it to a journalist and now on their blog.

• thunderfork

  07/08/2025

  [dead]

• VWWHFSfQ

  07/08/2025

  Yeah this whole exercise was completely illegal and I'm surprised this person publicly (and proudly) blogged about it like this.

  They probably need to engage an attorney now.

  • rendall

    07/08/2025

    Your theory is that Daigle is at risk of a Canadian prosecutor hauling him into court based on the criminal complaint of a Uruguayan purveyor of stalkerware? That's novel.

    • eddythompson80

      07/08/2025

      I think the theory is that Daigle has publicly professed to committing a crime sharing all their steps and receipts. It'll be unheard of of course if a Uruguayan purveyor of stalkerware take him to court.

      However, next time he talks about emulating Nintendo games or whatever, I'm sure Nintendo lawyers would love to bring it up and point "how the defendant brazenly defies law and order with predetermination malice".

      Not to begin to even mention now some shady criminal might hold a grudge against Daigle. I hope his security is air tight.

      There is a reason these reports are usually anonymous or follow responsible disclosure.

      • rendall

        07/08/2025

        Rest easy, Daigle is legally immune from concern trolling.

        • eddythompson80

          07/08/2025

          good for him

      • lcnPylGDnU4H9OF

        07/08/2025

        > next time he talks about emulating Nintendo games or whatever

        This seems like a straw man, though? What if they just... continue to not do that? (I think this is what the other commenter meant with "concern trolling".)

        > Not to begin to even mention now some shady criminal might hold a grudge against Daigle.

        This is 1) not a problem a lawyer will help you with and 2) not a practical concern for most people in the US and Canada. For example, Brian Krebs continues to (read: he's not dead or otherwise intimidated into silence) put his name behind many similar reports of illegal activity. There is a reason law enforcement investigates and prosecutes violent crime.

        I don't really see a practical reason for this person to avoid putting their name behind this report. The only reason that seems to make sense is if this group is not a criminal enterprise. Then they might be at all inclined to file a lawsuit.

        • mtlynch

          07/08/2025

          >For example, Brian Krebs continues to (read: he's not dead or otherwise intimidated into silence) put his name behind many similar reports of illegal activity. There is a reason law enforcement investigates and prosecutes violent crime.

          Brian Krebs invests a huge amount into keeping his home address a secret and has extensive surveillance at his home to keep intruders out. He was once SWATed and another time someone ordered heroin to his home and called the police to frame him for drug trafficking.[0]

          It's a bit of a miracle that Krebs continues his reporting. Krebs' courage and opsec is not very easy to achieve, especially for a 23 year old blogger like OP.

          [0] https://news.ycombinator.com/item?id=42354602

          • lcnPylGDnU4H9OF

            07/08/2025

            These points are not convincing. That paragraph says that he expends effort to keep his home address secret but then admits that those efforts are in vain because he’s been mailed things maliciously (to his home address) and SWATed (at his home address). It’s also not likely that surveillance will keep intruders out; it would help the criminal investigation after his house is burned down, except that hasn’t happened.

            I agree that he’s courageous but only because he receives many threats, not because he faces imminent dangers. His protection comes from the fact that a criminal enterprise will only bring attention to themselves by purchasing his murder, which is true because law enforcement investigates and prosecutes violent crime.

            • mtlynch

              07/09/2025

              >That paragraph says that he expends effort to keep his home address secret but then admits that those efforts are in vain because he’s been mailed things maliciously (to his home address) and SWATed (at his home address). It’s also not likely that surveillance will keep intruders out; it would help the criminal investigation after his house is burned down, except that hasn’t happened.

              The article says that he moved to a new home because of these incidents and now takes extreme measures to keep his address a secret.

              I don't understand how you can make the argument that retribution from criminals is "not a practical concern" because Krebs still does his reporting in spite of the risks. SWATing and attempts to frame him for a serious crime aren't just threats - they occurred. He could have died or been imprisoned.

      • dylan604

        07/08/2025

        Just preface the story with "last night I had a dream that I..." Now, it is a work of fiction.

        • eddythompson80

          07/08/2025

          Pretty sure that has never stood in court and it can only hurt you. It shows to the jury that you're trying to be dishonest.

        • ziml77

          07/09/2025

          ah yes the bulletproof "in Minecraft" defense

  • mtlynch

    07/08/2025

    The server they compromised is essentially a command and control server for an illegal botnet.

    Are there documented cases of botnet owners trying to sue or get law enforcement to prosecute someone for infiltrating their botnet?

    I'd be more concerned about extralegal retaliation from people in the malware ecosystem.

    • dylan604

      07/08/2025

      Hey, that's my server, and is totally 100% legit. I was unaware that I was pwnd and someone was using it as a C&C server. I'm now suing you for hacking my server, as you could be the person that installed the C&C server. After all, you are an admitted hacker.

      Stranger things have won in court

  • pbhjpbhj

    07/09/2025

    I'm interested people are talking about suing, unauthorised access of a computer system is usually illegal, you don't need to rely on tort. States like to be in control of who is allowed to access computer systems; a key component of projection of power.

  • SoftTalker

    07/08/2025

    Author is in Canada, not sure if/how that changes things.

  • lawlessone

    07/08/2025

    Class action lawsuit from a group of stalkers?

• deadbabe

  07/08/2025

  About half of hacking articles are just fake things people claim to have done but didn’t actually happen and no one checks on it, and conveniently by the time they publish the exploit was “fixed”. So you can’t verify for yourself anyway.

  Without hard proof that the author did what they said they did, you have no real case. This particular story already sounds far fetched but makes good fantasy.

  • munchler

    07/08/2025

    FWIW, this story has been verified by a reporter at TechCrunch, who says he used the dumped database to identify the spyware admin in Uruguay.

    https://techcrunch.com/2025/07/02/data-breach-reveals-catwat...

    • deadbabe

      07/08/2025

      Doesn’t change what I said

Sometimes, I wish engineers running backend services were not hindered by management nonsense and would just nuke these systems when they are reported, sufficiently backed up with evidence (like here -- though I'd do a personal check first to verify). Seems like some did (congrats), others didn't (Firebase). I can assure you if I was on the other end, I would have escalated until I got fired or the service was down. Unimaginable that some let these run, wake up in the morning, look in the mirror and aren't ashamed of themselves.

People will continue doing their unethical behaviour not because we aren't on the streets fighting for the right thing, but because we just don't care enough, and let them continue.

> The live photo and microphone options are particularly creepy, successfully taking a photo or recording and uploading it for me to view near-instantly on the control panel without giving the phone user the slightest sign that anything is amiss

Oh dear.

Someone who is in malware business will 100% not sue you for what you did, i wouldn't worry about that at all. You did a good job!

isn't using software like this deeply illegal? or is that a legislative blind-spot? seems like this database should be sent to the FBI and someone can make a career out of prosecuting