At least three Wyndham hotels in the United States have been found to have consumer spyware apps running in their check-in systems, TechCrunch has learned.
The app, called pcTattletale, secretly and continuously captured screenshots of hotel reservation systems containing guest details and customer information. Thanks to the spyware's security flaws, these screenshots become available to anyone on the Internet, not just the spyware's target users.
This is the latest example of consumer-grade spyware leaking sensitive information due to security flaws in the spyware itself. This is also the second time, as far as he is aware, that pcTattletale has published a screenshot of a device on which the app is installed. In recent years, several other spyware apps have had security bugs or misconfigurations that have unknowingly leaked device owners' personal information and data, in some cases prompting action by government regulators.
Guest and reservation details are captured and made public
pcTattletale allows anyone controlling it to remotely view a target Android or Windows device and its data from anywhere in the world. His website for pcTattletale states that the app “runs invisibly in the background of your workstation and is undetectable.”
However, this bug allows anyone on the Internet who understands how the security flaw works to download screenshots captured by the spyware directly from pcTattletale's servers.
Security researcher Eric Daigle told TechCrunch that he discovered a compromised hotel check-in system as part of an investigation into consumer spyware. These apps are sometimes called “stalkerware” because they can be used to track people, including spouses and domestic partners, without their knowledge or consent.
Daigle said he tried to alert pcTattletale about the issue, but the company did not respond and the issue remained unfixed at the time of publication. Daigle disclosed limited details of the pcTattletale screenshot leak bug in a short blog post, but did not divulge the details to prevent malicious parties from exploiting the flaw.
According to Daigle, pcTattletale periodically takes new screenshots of the device the app is running on, sometimes every few seconds.
Screenshots from two Wyndham hotels seen by TechCrunch show guests' names and reservation details on a web portal provided by travel tech giant Saber. A screenshot of the web portal also shows part of the guest's payment card number.
Another screenshot shows access to a third Wyndham hotel's check-in system, logging into Booking.com's administrative portal, which at the time was used to manage guest reservations. I did.
It is unclear who embedded the app or how the app was embedded. For example, it is unclear whether hotel employees were tricked into installing it or whether hotel owners intended to use the spyware to monitor employee behavior. pcTattletale sells things like how to monitor your employees.
A manager at one of the affected hotels told TechCrunch by phone that he had no idea the spyware was taking screenshots of check-in computers. Managers at the other two hotels did not respond to TechCrunch's calls or emails. TechCrunch is not naming specific hotels due to the risk of retaliation against hotel employees.
Wyndham spokesperson Rob Myers told TechCrunch in an email: “Wyndham is a franchise organization, which means all of our hotels in the United States are independently owned and operated.” Wyndham is aware of the use of pcTattletale on front desk computers at its branded hotels. Wyndham did not say whether it had done so or whether its use of pcTattletale was authorized by Wyndham's own policies.
Booking.com told TechCrunch that while its systems have not been compromised by spyware, this incident appears to be an example of how hotel systems can be targeted by cybercriminals and gain access to hotel accounts. he said.
“Unfortunately, some of our lodging partners have been targeted by highly persuasive and sophisticated phishing tactics that trick them into clicking on links or downloading attachments outside of our systems. “This can load malware onto the accommodation partner's machine and potentially lead to unauthorized access to the property's Booking.com account,” a Booking.com spokesperson said. , said Angela Cavis. “These bad actors impersonate our partners (or Booking.com) and attempt to coerce customers into making payments outside of policy on booking confirmations, sometimes very convincingly.”
BBC News reported in December that cybercriminals had gained access to the management portals of individual hotels using Booking.com. Using this access, criminals were able to send messages to customers from the company's app, tricking them into paying on behalf of the hotel.
It is unclear whether pcTattletale or other spyware is related to the previous incident, and Booking.com said it was investigating.
“All songs cover”
Stalkerware apps have a long history of marketing themselves for ostensibly legitimate uses, but tracking your children is legal in the United States. On the other hand, the app has been promoted or outright claimed that it can be used to target people, often spouses, without their knowledge. And domestic partners, this is illegal.
pcTattletale is marketed as child and employee monitoring software, but the company also advertises an app for use with “spouses who are worried that their partner is cheating.” There is.
A screenshot of pcTattletale's member portal, where users can download a monitoring app. “Users have no idea that pcTattletale is installed and running.” Image credit: TechCrunch (screenshot)
pcTattletale develops spyware apps for Android and Windows, both of which require physical access to the target device to install. TechCrunch's exclusive spyware testing and analysis found that pcTattletale offers a one-click download of its Windows spyware app that can be installed in seconds.
pcTattletale also offers a service called “We Do It For You,” which the company says helps install spyware on targeted computers on behalf of its customers.
“We've installed pcTattletale for you on their Windows computer. Choose a time,” the pcTattletale website tells customers within its membership portal. “You will receive an email with instructions to access their computer. It will take about 10 minutes. There will be no trace left. All tracks have been covered.” A link for technicians will be sent to you. [sic] Access your computer.”
Brian Fleming, who founded and manages pcTattletale, did not respond to TechCrunch's request for comment.
Contact this reporter via Signal and WhatsApp (+1 646-755-8849) or email. You can also send files and documents via SecureDrop.