Parental control app gets hacked exposing 281GB of data

The hacker claims to have entered an app’s server

spyware is designed to monitor people’s online activities, especially if they are criminals or potential malicious actors. However, this does not mean that this kind of software is safe from any vulnerability or that it is immune to hacker attacks. Cases such as TheTruthSpy or FlexiSpy are evidence of how vulnerable security measures are for companies that commercialize spyware for domestic use.

Ethical hacking specialists from the International Institute of Cyber Security report that Family Orbit, a monitoring and espionage app related to parental control, exposed online almost 281 GB of data. Data was stored on a poorly secured server until a hacker discovered the presence of a large amount of data from compromised Family Orbit customers. Later, the hacker reported the defective server to various specialized media.

Around 3.8k containers were in Rackspace, a cloud storage service. The hacker proved to have accessed the files stored there, ranging from user names to video recordings: “I’ve got all the photos loaded from the children’s phones monitored with this app, and also some screenshots of the developer’s desktop, where are exposed passwords and other sensitive information”, said the hacker, who preferred to remain anonymous.

Ethical hacking experts were able to confirm the data theft, after verifying that the e-mail addresses provided by the hacker belonged to active users of the Family Orbit service.

Family Orbit announces itself as “the best parental control app currently available online”. The worrying thing is that the exposed data include hundreds of images of children, which were monitored by their parents or relatives through this app. The data were protected only by a very easy to guess password. The hacker found the key to access this data on the servers in the spyware cloud.

The hacker who discovered the unprotected server is known for having attacked Retina-X, another domestic use spyware, attack in which he erased the company servers twice. At a time after the hacker’s statement, Family Orbit also recognized the data theft.

A company spokesperson stated that the spyware API key is stored in the application in encrypted form and that the company observed unusual bandwidth on its server. As soon as the company detected this anomalous behavior, the API key and login credentials were immediately changed. In addition, the company’s sales and services were disabled until the flaw was corrected.

According ethical hacking specialists from the International Institute of Cyber Security, Family Orbit has functions such as blocking potentially malicious websites, real-time localization of the device where it is installed and device blocking, sensitive information that might compromise its users.