Spyware found on US hotel check-in computers

TechCrunch has discovered that a consumer spyware application has been found running in the check-in systems of at least three Wyndham hotels in the United States.

The app, called pcTattletale, stealthily and continuously captured screenshots of the hotel’s reservation systems, containing guest details and customer information. Thanks to a security flaw in spyware, these screenshots are available to anyone on the Internet, not just the spyware’s intended users.

This is the latest example of consumer spyware exposing sensitive information due to a security flaw in the spyware itself. This is also the second known time that pcTattletale has exposed screenshots of devices on which the app is installed. Several other spyware apps in recent years had security bugs or misconfigurations that exposed the private and personal data of unwitting device owners, in some cases prompting action by government regulators.

Guest and booking details captured and exposed

pcTattletale allows the controller to remotely view the target’s Android or Windows device and its data, from anywhere in the world. The pcTattletale website says the app “runs invisibly in the background on your workstations and cannot be detected.”

But the bug means that anyone on the Internet who understands how the security flaw works can download screenshots captured by the spyware directly from pcTattletale’s servers.

Security researcher Eric Daigle told TechCrunch that he found hotel check-in systems compromised as part of an investigation into consumer spyware. These apps are often called “stalkerware” for their ability to be used to track people, including spouses and common-law partners, without their knowledge or consent.

Daigle said he tried to alert pcTattletale about the issue, but the company did not respond and the bug has not yet been fixed at the time of publication. Daigle revealed limited details of the leaked pcTattletale screenshot bug in a brief blog post, without providing details so as not to help bad actors exploit the flaw.

Daigle said pcTattletale periodically takes new screenshots of the device the app is running on, sometimes every few seconds.

Screenshots of two Wyndham hotels, seen by TechCrunch, show guests’ names and reservation details on a web portal provided by travel tech giant Sabre. Screenshots of the web portals also show partial guest payment card numbers.

Another screenshot showed access to the check-in system of a third Wyndham hotel, which at the time was connected to the Booking.com administration portal used to manage a guest’s reservation.

It is not known who planted the application or how; for example, if hotel employees were tricked into installing it or if the hotel owner intended to use the spyware to monitor employee behavior. pcTattletale is marketed as a way to monitor employees, among other uses.

The manager of one affected hotel told TechCrunch by phone that they were unaware that the spyware was taking screenshots of their check-in computer. Managers at the other two hotels did not return calls or emails from TechCrunch. TechCrunch is not naming specific hotels given the risk of retaliation against hotel employees.

Wyndham spokesperson Rob Myers told TechCrunch in an email: “Wyndham is a franchise organization, meaning all of our hotels in the US are independently owned and operated.” Wyndham did not say whether it was aware that pcTattletale was used on the front-desk computers at its branded hotels or whether the use of pcTattletale was approved by Wyndham’s own policies.

Booking.com told TechCrunch that its own systems were not compromised by spyware, but that this case seemed like an example of how cybercriminals attack hotel systems to gain access to hotel accounts.

“Unfortunately, some of our hosting partners have been targeted by very convincing and sophisticated phishing tactics, encouraging them to click on links or download attachments outside of our system that allow malware to be loaded onto their machines and, in some cases, “lead to unauthorized access to your Booking.com account,” said Angela Cavis, spokesperson for Booking.com. “These bad actors then try to impersonate the partner (or even Booking.com), sometimes very convincingly, to request payments from customers outside of the policy in their reservation confirmation.”

BBC News reported last December that cybercriminals had gained access to the management portals of individual hotels using Booking.com. With this access, the criminals sent messages to customers from the company’s application to trick them into paying them instead of the hotel.

It is not known whether pcTattletale or other spyware is related to previous incidents, and Booking.com said it was investigating.

‘All tracks covered’

There is a long history of stalkerware apps that are ostensibly marketed for legitimate uses (tracking your own children is legal in the United States), but also promote, or outright say, that the apps can be used to attack people without their knowledge, often spouses. and de facto couples, which is illegal.

pcTattletale is sold under the guise of child and employee tracking software, but the company also promotes its app for use against “spouses who fear their partner is cheating on them.”

A screenshot of the pcTattletale member portal, which allows users to download their monitoring app that “users will not know that pcTattletale is installed and running.” Image credits: TechCrunch (screenshot)

pcTattletale develops spyware applications for Android and Windows and both applications require physical access to the target device for installation. pcTattletale provides its Windows spyware app as a one-click download that can be installed in a few seconds, according to TechCrunch’s own spyware testing and analysis.

pcTattletale also offers a service called “We Do It for You,” which the company says will help install spyware on the target’s computer on the customer’s behalf.

“We install pcTattletale on your Windows computer. Simply choose a time,” the pcTattletale website tells customers within the member portal. “You will receive an email with instructions for us to access your computer. It takes us about 10 minutes. There are no traces left. All courts covered.” A link “for our technician” is then sent to the customer [sic] to access the computer.

Bryan Fleming, who founded and maintains pcTattletale, did not respond to TechCrunch’s request for comment.

To contact this reporter, please contact via Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.

Leave a Comment