TechCrunch has learned that a consumer-grade spyware application is running on the lodging systems of at least three Wyndham hotels in the United States.
The app, called pcTattletale, secretly and continuously captures screenshots of hotel reservation systems that contain guest details and customer information. Thanks to a security flaw in the spyware, these screenshots are available to anyone on the Internet, not just the intended users of the spyware.
This is the latest example of consumer spyware exposing sensitive information due to a security flaw in the spyware itself. This is also the second known time pcTattletale has revealed screenshots of the devices the app is installed on. Several other spyware apps in recent years have had security bugs or misconfigurations that have exposed the private and personal data of unwitting device owners, in some cases prompting government regulators to take action.
Guest and booking details are captured and disclosed
pcTattletale allows whoever controls it to remotely view a target’s Android or Windows device and its data from anywhere in the world. pcTattletale’s website says the app “runs invisibly in the background on their workstations and cannot be detected.”
But the flaw means that anyone on the Internet who understands how the security flaw works can download the screenshots taken by the spyware directly from pcTattletale’s servers.
Security researcher Eric Daigle told TechCrunch that he discovered the compromised hotel check-in systems as part of an investigation into consumer spyware. These apps are often called “stalker software” because of their ability to be used to track people — including spouses and domestic partners — without their knowledge or consent.
Daigle said he tried to alert pcTattletale to the issue, but the company did not respond and the flaw remained unfixed at the time of publication. Daigle revealed limited details about the leaking pcTattletale screenshot bug in a short blog post, without providing details so as not to help bad actors take advantage of the flaw.
Daigle said pcTattletale periodically takes new screenshots of the device running the app, sometimes every few seconds.
Screenshots from two Wyndham hotels seen by TechCrunch show guests’ names and reservation details on a web portal provided by travel tech giant Sabre. Screenshots of web portals also show partial numbers of guests’ payment cards.
Another screenshot shows access to the booking system of a third Wyndham hotel, which at the time logged into the Booking.com admin portal used to manage a guest’s booking.
It is not known who installed the app or how the app was installed — for example, whether hotel employees were tricked into installing it, or whether the hotel owner intended the spyware to be used to monitor employee behavior. pcTattletale is advertised as a way to monitor employees, among other applications.
The manager of one affected hotel told TechCrunch by phone that they were unaware the spyware was taking screenshots of their check-in computer. Managers at the other two hotels did not respond to TechCrunch’s calls or emails. TechCrunch is not naming the specific hotels due to the risk of retaliation against hotel employees.
Wyndham spokesman Rob Myers told TechCrunch in an email, “Wyndham is a franchise organization, which means that all of our hotels in the US are independently owned and operated.” Wyndham did not say whether it was aware that pcTattletale was being used on its front desk computers. branded hotels or whether the use of pcTattletale is approved by Wyndham’s own policies.
Booking.com told TechCrunch that its own systems were not compromised by the spyware, but this case appears to be an example of how hotel systems are targeted by cybercriminals to gain access to hotel accounts.
“Some of our hosting partners have unfortunately been attacked by very convincing and sophisticated phishing tactics encouraging them to click on links or download attachments outside of our system, allowing malware to be loaded onto their machines and in some cases leading to unauthorized access to their Booking.com Profile,” said Angela Cavis, a spokesperson for Booking.com. “These bad actors then try to impersonate the partner (or even Booking.com) – sometimes very convincingly – to demand payment from customers outside of the rules in their booking confirmation.”
BBC News reported last December that cybercriminals gained access to the administrative portals of individual hotels that use Booking.com. With this access, the criminals then sent messages to customers from the company’s app to trick them into paying them instead of the hotel.
It is not known whether pcTattletale or other spyware is related to previous incidents, and Booking.com said it is investigating.
“All Songs Covered”
There is a long history of stalking apps that are ostensibly advertised for legitimate purposes — tracking your own children is legal in the United States — but also advertise or directly say that the apps can be used to target people without their knowledge, often spouses and domestic partners, which is illegal.
pcTattletale is marketed under the guise of child and employee monitoring software, but the company also advertises its app for use against “spouses who worry their partner may be cheating.”
pcTattletale develops spy apps for Android and Windows and both apps require physical access to the target device to install. pcTattletale provides its Windows spyware as a one-click download that can be installed in seconds, according to TechCrunch’s own tests and spyware analysis.
pcTattletale also offers a service called We Do It For You, which the company says will help install the spyware on the victim’s computer on behalf of the customer.
“We put pcTattletale on their Windows PC for you. Just pick a time,” the pcTattletale website tells customers on its member portal. “You will receive an email with instructions to access their computer. It takes us about 10 minutes. No traces left. All tracks are covered.” The customer is then sent a link “for our technician [sic] to access the computer.”
Brian Fleming, who founded and maintains pcTattletale, did not respond to TechCrunch’s request for comment.
To contact this reporter, contact Signal and WhatsApp at +1 646-755-8849 or via email. You can also send files and documents using SecureDrop.
