Spyware found on US hotel check-in computers

In this article:

A consumer-grade spyware app has been found running on the check-in systems of at least three Wyndham hotels across the United States, TechCrunch has learned.

The app, called pcTattletale, stealthily and continually captured screenshots of the hotel booking systems, which contained guest details and customer information. Thanks to a security flaw in the spyware, these screenshots are available to anyone on the internet, not just the spyware's intended users.

This is the most recent example of consumer-grade spyware exposing sensitive information because of a security flaw in the spyware itself. It's also the second known time that pcTattletale has exposed screenshots of the devices on which the app is installed. Several other spyware apps in recent years had security bugs or misconfigurations that exposed the private and personal data of unwitting device owners, in some cases prompting action by government regulators.

Guest and reservation details captured and exposed

pcTattletale allows whomever controls it to remotely view the target’s Android or Windows device and its data, from anywhere in the world. pcTattletale's website says the app "runs invisibly in the background on their workstations and can not be detected."

But the bug means that anyone on the internet who understands how the security flaw works can download the screenshots captured by the spyware directly from pcTattletale's servers.

Security researcher Eric Daigle told TechCrunch that he found the compromised hotel check-in systems as part of an investigation into consumer-grade spyware. These apps are often referred to as "stalkerware" for their ability to be used to track people — including spouses and domestic partners — without their knowledge or consent.

Daigle said he attempted to warn pcTattletale of the issue, but the company has not responded, and the flaw remains unfixed at the time of publication. Daigle disclosed limited details of pcTattletale's leaking screenshot bug in a short blog post, without providing specifics so as to not help bad actors take advantage of the flaw.

Daigle said pcTattletale periodically takes new screenshots of the device that the app is running on, sometimes every few seconds.

The screenshots from two Wyndham hotels, seen by TechCrunch, show the names and reservation details of guests on a web portal provided by travel tech giant Sabre. The screenshots of the web portals also display guests’ partial payment card numbers.

Another screenshot showed access to a third Wyndham hotel's check-in system, which at the time was logged into Booking.com's administration portal used to manage a guest's reservation.