US Hotel Check-In Systems Found Harboring Spyware App
A consumer-grade spyware app, pcTattletale, has been discovered to be running on check-in systems at three Wyndham hotels in the United States, according to a TechCrunch report. The spyware captures screenshots of the hotel booking systems, exposing guest names, reservation details, and partial card numbers. Due to a security flaw in the spyware, this information is available to everyone on the internet — not just the spyware’s intended users.
Eric Daigle, the security researcher who uncovered the issue, attempted to report it to pcTattletale, but the company did not respond, leaving the flaw unfixed. According to Daigle, anyone on the internet who understands how the security flaw works can download the screenshots.
Captured screenshots from two Wyndham hotels showed guest details on a web portal provided by travel tech giant Sabre, while a third hotel's check-in system was logged into Booking.com’s administration portal.
Daigle's findings were part of a broader investigation into consumer-grade spyware, often referred to as "stalkerware" for its use in tracking people without their knowledge or consent. The exact method of how the spyware was installed remains unclear. Potential scenarios include a malicious third-party tricking hotel employees into installing the software or deliberate installation by hotel management.
Vice highlighted the lax security practices of many stalkerware companies, including pcTattletale, which markets itself for monitoring spouses without their consent. The app allows anyone to view screenshots of infected devices simply by visiting specific URLs.
Security researcher Jo Coscia demonstrated that pcTattletale uploads victim data to an AWS server that requires no authentication, making it possible for attackers to access these images. In addition, Bryan Fleming, the owner of pcTattletale, admitted to retaining the data of free trial users for longer than what’s stated in promotional emails, citing user needs to recover screenshots post-trial.
In response to the incident, Wyndham emphasized that all its hotels in the US are independently owned and operated and did not confirm whether they were aware of or approved pcTattletale’s use. Booking.com noted that its systems were not compromised but acknowledged that phishing tactics have targeted its accommodation partners.
This incident adds to the growing concerns about the misuse of commercial spyware, a trend highlighted in a recent report by Google's Threat Analysis Group (TAG). The report details how spyware, often supplied by European-based startups, is increasingly used by governments for surveillance. Last year, cybersecurity experts also discovered two spyware apps on Google Play disguised as file management tools, which have threatened the security of over 1.5 million users by transmitting their personal data to servers in China.
Please, comment on how to improve this article. Your feedback matters!