A consumer-grade spyware application was found to be running on the check-in systems of at least three Wyndham hotels in the United States, according to TechCrunch.
The app, called pcTattletale, secretly and continuously captured screenshots of hotel reservation systems, which contained guest details and customer information. Thanks to a security flaw in the spyware, these screenshots are available to anyone on the Internet, not just the intended users of the spyware.
This is the latest example of consumer spyware exposing sensitive information due to a security flaw in the spyware itself. Are also the second known time that pcTattletale has displayed screenshots of the devices on which the application is installed. Several other spyware applications in recent years have had security flaws or misconfigurations that exposed the private and personal data of unwitting device owners, in some cases prompting action by government regulators.
Visitor and booking details were recorded and displayed
pcTattletale allows whoever controls it to remotely view the target’s Android or Windows device and its data, from anywhere in the world. pcTattletale’s website says the app “runs invisibly in the background on their workstations and cannot be detected”.
However, the flaw means that anyone on the Internet who understands how the security flaw works can download the screenshots captured by the spyware directly from pcTattletale’s servers.
Security researcher Eric Daigle told TechCrunch that he found the compromised hotel check-in systems as part of an investigation into consumer-grade spyware. These apps are often referred to as “stalkerware” for their ability to be used to track people — including spouses and domestic partners — without their knowledge or consent.
Daigle said he tried to warn pcTattletale about the issue, but the company did not respond, and the flaw remains unresolved at the time of publication. Daigle revealed limited details of the leaked screenshot bug on pcTattletale in a short blog postwithout providing specifics so as not to help bad actors exploit the flaw.
Daigle said pcTattletale periodically takes new screenshots of the device the app is running on, sometimes every few seconds.
Screenshots from two Wyndham hotels, seen by TechCrunch, show guests’ names and reservation information on an online portal provided by travel tech giant Sabre. The screenshots of the web portals also show the numbers of some payment cards of the visitors.
Another screenshot showed access to a third-party Wyndham hotel check-in system, which at the time was connected to the Booking.com management portal used to manage a guest’s reservation.
It is not known who installed the app or how the app was installed — for example, if hotel employees were tricked into installing it, or if the hotel owner intended the spyware to be used to monitor employee behavior. pcTattletale is marketed as a way to track employees, among other uses.
The manager of one affected hotel told TechCrunch by phone that they were unaware the spyware was taking screenshots of their computer at check-in. Managers at the other two hotels did not return TechCrunch’s calls or emails. TechCrunch is not naming the specific hotels given the risk of retaliation against hotel employees.
Wyndham spokesman Rob Myers told TechCrunch in an email: “Wyndham is a franchise organization, meaning all of our hotels in the US are independently owned and operated.” Wyndham could not say whether it knew pcTattletale was being used on the front desk computers of its branded hotels, or whether the use of pcTattletale was authorized by Wyndham’s own policies.
Booking.com told TechCrunch that its own systems were not breached by the spyware, but that this case seemed like an example of how hotel systems are targeted by cybercriminals to gain access to hotel accounts.
“Some of our accommodation partners have unfortunately been targeted by very convincing and sophisticated phishing tactics, encouraging them to click on links or download attachments outside of our system that allow malware to be loaded onto their computers and, in some cases, lead to to unauthorized access to your Booking.com Account,” said Angela Cavis, a Booking.com spokesperson. “These bad actors then try to impersonate the partner (or even Booking.com) — sometimes very convincingly — to request payment from customers outside of the policy on their booking confirmation.”
BBC News reported last December that cybercriminals had gained access to the management portals of individual hotels using Booking.com. With this access, the criminals then sent messages to customers from the company’s app to trick them into paying them instead of the hotel.
It is not known whether pcTattletale or other spyware is linked to previous incidents, and Booking.com said it is investigating.
“All routes covered”
There’s a long history of stalkerware apps that ostensibly market themselves for legitimate uses — tracking your kids is legal in the United States — but also promote, or shall we say outright, that the apps can be used to target people without their knowledge, often spouses and domestic partners, which is illegal.
pcTattletale is marketed under the guise of child and employee monitoring software, but the company also promotes its app for use against “spouses who are worried their partner might be cheating.”
pcTattletale develops spyware apps for Android and Windows, and both apps require physical access to a target’s device to install. pcTattletale provides its Windows spyware application as a one-click download that can be installed in seconds, according to TechCrunch’s own spyware testing and analysis.
pcTattletale also offers a service called “We Do It For You,” which the company says will help install the spyware on the target’s computer on behalf of the customer.
“We put pcTattletale on their Windows PC for you. Just pick a time,” the pcTattletale website tells customers within its member portal. “You will receive an email with instructions to access their computer. It takes us about 10 minutes. They left no traces behind. All the pieces covered.” The customer is then sent a link “for our technician [sic] to access the computer.”
Bryan Fleming, who founded and runs pcTattletale, did not respond to TechCrunch’s request for comment.
To contact this reporter, please contact Signal and WhatsApp at +1 646-755-8849 or via email. You can also send files and documents via SecureDrop.
