TechCrunch reported that a consumer spyware app was found running on the check-in systems of at least three Wyndham hotels across the United States.
An app called pcTattletale secretly and persistently captured customer details and screenshots of hotel reservation systems containing customer information. Due to security flaws in spyware, these screenshots are available to anyone on the Internet, not just the spyware's intended user.
This is the latest example of consumer-grade spyware exposing sensitive information due to a security flaw in the spyware itself. This is also the second known time that pcTattletale has released screenshots of devices with the app installed. Several other spyware apps in recent years have had security bugs or misconfigurations that have exposed personal data of unwitting device owners, in some cases leading to action by government regulators.
Customer and reservation details are captured and exposed.
pcTattletale allows anyone controlling it to remotely view the target's Android or Windows device and its data from anywhere in the world. pcTattletale's website says the app “runs invisibly in the background of your workstation and cannot be detected.”
However, the bug means that any Internet user who understands how the security flaw works can download the screenshots captured by the spyware directly from the pcTattletale servers.
Security researcher Eric Daigle told TechCrunch that he discovered a compromised hotel check-in system as part of his investigation into consumer spyware. These apps are often called “stalkerware” because they can be used to track people, including spouses and domestic partners, without their knowledge or consent.
Daigle said he attempted to alert pcTattletale about the issue, but the company did not respond and the glitch remained unfixed at the time of publishing. Daigle revealed limited details about pcTattletale's leaked screenshot bug in a short blog post, without providing any specifics to avoid helping malicious actors exploit the flaw.
Daigle said pcTattletale takes new screenshots of the device the app is running on periodically, sometimes every few seconds.
Screenshots from two Wyndham hotels seen by TechCrunch show guests' names and reservation details on a web portal provided by travel technology giant Saber. A screenshot of the web portal also shows some of the guest's payment card numbers.
Another screenshot showed access to a third Wyndham hotel's check-in system, which at the time was logged into the Booking.com management portal used to manage guest reservations.
We don't know who installed the app or how they installed it. For example, we don't know if hotel employees were tricked into installing the app or if the hotel owners intended to use spyware to monitor employee behavior. pcTattletale markets itself as a way to monitor employees, among other things.
A manager at one affected hotel told TechCrunch by phone that he was unaware that the spyware was taking screenshots of check-in computers. Managers at the other two hotels did not respond to calls or emails from TechCrunch. TechCrunch is not naming specific hotels due to the risk of retaliation against hotel staff.
Wyndham spokesman Rob Myers told TechCrunch via email: “Wyndham is a franchise organization, which means all of its hotels in the United States are independently owned and operated.” Wyndham did not disclose whether it was aware that pcTattletale was being used on front desk computers at its branded hotels or whether the use of pcTattletale was approved under Wyndham's own policies.
Booking.com told TechCrunch that while its own systems were not compromised by spyware, the case appears to be an example of how cybercriminals target hotel systems to gain access to hotel accounts.
“Unfortunately, some of our accommodation partners have been targeted by very persuasive and sophisticated phishing tactics. They encourage them to click on links or download attachments outside of our systems, which allows malicious code to be loaded onto their computers and in some cases leads to unauthorized access to their accommodations. “This is your Booking.com account.” said Booking.com spokeswoman Angela Cavis. “These bad actors impersonate our partners (or even Booking.com) and attempt to solicit payments from guests that fall outside the policies of the booking confirmation, sometimes very convincingly.”
BBC News reported in December last year that cybercriminals had accessed the management portals of individual hotels using Booking.com. This access allowed criminals to send messages to customers on the company's app, tricking them into paying for the hotel on their behalf.
It is not known whether pcTattletale or other spyware was involved in the previous incident, and Booking.com said it was investigating.
“All tracks covered”
There is a long history of stalkerware apps that ostensibly market themselves for legitimate use. Tracking your own children is legal in the United States. However, they promote or explicitly state that the app can be used to target people (often their spouses) without their knowledge. Domestic partners are illegal.
pcTattletale is marketed under the guise of child and employee monitoring software, but the company also promotes the app for use by “spouses who are worried their partner is cheating.”
pcTattletale develops spyware apps for Android and Windows, both of which require physical access to the target device to install. According to TechCrunch's own testing and spyware analysis, pcTattletale offers a Windows spyware app as a one-click download that can be installed in seconds.
pcTattletale also offers a service called “We Do It For You” that helps install spyware on target computers on behalf of customers.
“We installed pcTattletale on your Windows computer for you. Choose your time.” pcTattletale's website informs customers inside its member portal. “You will receive an email with instructions on how we can access that person’s computer. It takes about 10 minutes. No trace was left. All tracks are covered.” The customer will then be sent “a link that will allow a technician to access your computer.”
Bryan Fleming, who founded and runs pcTattletale, did not respond to TechCrunch's request for comment.
To contact this reporter, call +1 646-755-8849 or email on Signal and WhatsApp. You can also send files and documents via SecureDrop.
