\n<\/p>\n
A consumer-grade spyware app has been found running on the check-in systems of at least three Wyndham hotels across the United States, TechCrunch has learned.<\/p>\n
The app, called pcTattletale, stealthily and continually captured screenshots of the hotel booking systems, which contained guest details and customer information. Thanks to a security flaw in the spyware, these screenshots are available to anyone on the internet, not just the spyware\u2019s intended users.\u00a0<\/p>\n
This is the most recent example of consumer-grade spyware exposing sensitive information because of a security flaw in the spyware itself. It\u2019s also the second known time<\/a> that pcTattletale has exposed screenshots of the devices on which the app is installed. Several other spyware apps<\/a> in recent years had security bugs or misconfigurations that exposed the private and personal data of unwitting device owners, in some cases prompting action by government regulators<\/a>.<\/p>\n pcTattletale allows whomever controls it to remotely view the target\u2019s Android or Windows device and its data, from anywhere in the world. pcTattletale\u2019s website says the app \u201cruns invisibly in the background on their workstations and can not be detected.\u201d<\/p>\n But the bug means that anyone on the internet who understands how the security flaw works can download the screenshots captured by the spyware directly from pcTattletale\u2019s servers.\u00a0<\/p>\n Security researcher Eric Daigle told TechCrunch that he found the compromised hotel check-in systems as part of an investigation into consumer-grade spyware. These apps are often referred to as \u201cstalkerware\u201d<\/a> for their ability to be used to track people \u2014 including spouses and domestic partners \u2014 without their knowledge or consent.\u00a0<\/p>\n Daigle said he attempted to warn pcTattletale of the issue, but the company has not responded, and the flaw remains unfixed at the time of publication. Daigle disclosed limited details of pcTattletale\u2019s leaking screenshot bug in a short blog post<\/a>, without providing specifics so as to not help bad actors take advantage of the flaw.\u00a0<\/p>\n Daigle said pcTattletale periodically takes new screenshots of the device that the app is running on, sometimes every few seconds.<\/p>\n The screenshots from two Wyndham hotels, seen by TechCrunch, show the names and reservation details of guests on a web portal provided by travel tech giant Sabre. The screenshots of the web portals also display guests\u2019 partial payment card numbers.<\/p>\n Another screenshot showed access to a third Wyndham hotel\u2019s check-in system, which at the time was logged into Booking.com\u2019s administration portal used to manage a guest\u2019s reservation.<\/p>\n It\u2019s not known who planted the app or how the app was planted \u2014 for example, if hotel employees were tricked into installing it, or if the hotel owner intended the spyware to be used to monitor employee behavior. pcTattletale markets itself as a way to monitor employees, among other uses.<\/p>\n The manager of one affected hotel told TechCrunch by phone that they were unaware that the spyware was taking screenshots of their check-in computer. The managers of the other two hotels did not return TechCrunch\u2019s calls or emails. <\/strong>TechCrunch is not naming the specific hotels given the risk of retaliation against hotel employees.<\/p>\n Wyndham spokesperson Rob Myers told TechCrunch in an email: \u201cWyndham is a franchise organization, meaning all of our hotels in the U.S. are independently owned and operated.\u201d Wyndham would not say if it was aware that pcTattletale was used on the front-desk computers of its branded hotels or if the use of pcTattletale was approved by Wyndham\u2019s own policies.<\/p>\n Booking.com told TechCrunch that its own systems were not compromised by the spyware, but that this case seemed like an example of how hotel systems are targeted by cybercriminals to get access to the hotel\u2019s accounts.<\/p>\n \u201cSome of our accommodation partners have unfortunately been targeted by very convincing and sophisticated phishing tactics, encouraging them to click on links or download attachments outside of our system that enable malware to load on their machines and in some cases, lead to unauthorized access to their Booking.com account,\u201d said Angela Cavis, a spokesperson for Booking.com. \u201cThese bad actors then attempt to impersonate the partner (or even Booking.com) \u2014 sometimes very convincingly \u2014 to request payment from customers outside of the policy in their booking confirmation.\u201d<\/p>\n BBC News reported last December<\/a> that cybercriminals had obtained access to the administration portals of individual hotels that use Booking.com. With this access, the criminals then sent messages to customers from the company\u2019s app to trick them into paying them instead of the hotel.\u00a0<\/p>\n It\u2019s not known if pcTattletale or other spyware is linked to previous incidents, and Booking.com said it was investigating.<\/p>\n There is a long history of stalkerware apps that ostensibly market themselves for legitimate uses \u2014 tracking your own children is legal in the United States \u2014 but also promote, or outright say, that the apps can be used to target people without their knowledge, often spouses and domestic partners, which is unlawful.<\/p>\n pcTattletale is sold under the guise of child and employee monitoring software, but the company also promotes its app for use against \u201cspouses who worry that their partner might be cheating.\u201d\u00a0<\/p>\n pcTattletale develops spyware apps for Android and Windows and both apps require physical access to a target\u2019s device to install. pcTattletale provides its Windows spyware app as a one-click download that can be installed in a few seconds, according to TechCrunch\u2019s own tests and analysis of the spyware.\u00a0<\/p>\n pcTattletale also offers a service called \u201cWe Do It For You,\u201d which the company says will help install the spyware on the target\u2019s computer on the customer\u2019s behalf.\u00a0<\/p>\n \u201cWe put pcTattletale on their Windows Computer for you. Just pick a time,\u201d pcTattletale\u2019s website tells customers inside its members\u2019 portal. \u201cYou will get an email with instructions for us to access their computer. It takes us about 10 minutes. No traces left behind. All tracks covered.\u201d The customer is then sent a link \u201cfor our techncian [sic] to access the computer.\u201d<\/p>\n Bryan Fleming, who founded and maintains pcTattletale, did not respond to TechCrunch\u2019s request for comment.\u00a0<\/p>\n To contact this reporter, get in touch on Signal and WhatsApp at +1 646-755-8849, or by email<\/a>. You can also send files and documents via\u00a0SecureDrop<\/a>.<\/em><\/p>\n<\/div>\nGuest and reservation details captured and exposed<\/h2>\n
\u201cAll tracks covered\u201d<\/h2>\n
\n