Posts on Eric Daigle

"Super secure" MAGA-themed messaging app leaks everyone's phone number

Wed, 10 Dec 2025 00:00:00 +0000

Neither of us had prior experience developing mobile apps, but we thought, “Hey, we’re both smart. This shouldn’t be too difficult.”

Freedom Chat CEO Tanner Haas

Background

Once upon a time, in the distant memory that is 2023, a new instant messaging app called Converso was launched. Converso made some pretty impressive claims about its security: it claimed to implement state of the art end-to-end encryption, to collect no metadata, and to use a decentralized architecture that involved no servers at all. Unfortunately, security researcher crnković did some basic reverse engineering and traffic analysis and found all of these claims to be completely baseless, with Converso collecting plenty of metadata on every message and using a third-party E2EE provider to store messages on bog standard centralized servers. Even more unfortunately, crnković also found that Converso implemented the (perfectly functional if used properly) Seald E2EE service in such a way that encrypted messages’ keys could be derived from publicly available information, and also uploaded a copy of every encrypted message to an open Firebase bucket, meaning every message ever sent on the service could be trivially read by anyone with an Internet connection. After being informed of the vulnerabilities, Converso initially released an update claiming to fix them, then withdrew from the App Store and Google Play to “address and improve the issues.”

Taking over 60k spyware user accounts with SQL injection

Wed, 02 Jul 2025 00:00:00 +0000

Background

Recently I was looking through a database of known stalkerware services and found one I wasn’t familiar with: Catwatchful. It seemed to be a full-featured Android spy app, to actually be its own service as opposed to a millionth FlexiSpy reseller, and to offer a 3-day free trial. Aside from a boilerplate disclaimer to only use it with consent, it also pretty brazenly advertised itself as stalkerware in the FAQ:

Breaking into dozens of apartments in five minutes

Sat, 15 Feb 2025 09:54:45 -0700

Background

A few months ago I was on my way to catch the SeaBus when I walked by an apartment building with an interesting looking access control panel. I wrote down the “MESH by Viscount” brand name and made a note to look into it when I had a chance. I ended up just missing my ferry (the 30 minute Sunday headways are brutal), so I decided to see if I could find anything promising on my phone while waiting at Waterfront for the next boat.

Bypassing iChano AtHome’s homegrown cryptography with Frida

Sun, 21 Jul 2024 00:00:00 +0000

Background

Today we take a break from exploring stalkerware/watchware to examine a vulnerability in iChano AtHome Camera, a pair of applications allowing smartphones and computers to be used as IoT-enabled security cameras. This exploit allows an attacker snooping on the network while an AtHome Camera user logs into the Viewer app to intercept the credentials of all cameras to which the user has access, and later view or control these cameras from anywhere over the Internet. While this is somewhat less exciting than leaking the live locations of millions or the screen recordings of tens of thousands, it’s a good demonstration of some Android dynamic instrumentation techniques.

PCTattletale leaks victims’ screen recordings to entire Internet

Wed, 22 May 2024 00:00:00 +0000

Background

PCTattletale is a simple stalkerware app. Instead of providing the sophisticated monitoring of many similarly insecure competitors it simply asks for permission to record the targeted device (Android and Windows are supported) on infection. Afterward the observer can log in to an online portal and activate recording, at which point a screen capture is taken on the device and played on the target’s browser.

I recently discovered a serious vulnerability in PCTattletale’s API which allows any attacker to obtain the most recent screen capture recorded from any device on which PCTattletale is installed. It is distinct from the IDOR previously discovered by Jo Coscia, and makes it trivial to actually obtain captures from other devices. As usual, Zack Whittaker has excellent coverage at TechCrunch. Unfortunately, PCTattletale has ignored Zack’s and my attempts at contacting them to fix the issue, so I can’t give any more details here to avoid encouraging abuse of the vulnerability. Hopefully the stalkerware author(s) can be bothered to fix the issue soon, at which point I can give a full writeup. In the meantime, if you think you may be a victim of stalkerware, run an antivirus scan — on Windows, Windows Defender seems to catch most known tools, while on Android I’ve heard good things about Malwarebytes — and have a look at the excellent advice from the Coalition Against Stalkerware.

iSharing data leak writeup

Wed, 24 Apr 2024 00:00:00 +0000

Backgruond

I recently discovered a serious security lapse in iSharing, a location tracker/parental control app for iOS and Android that claims over 35 million users. Upon discovering the issue and getting no response from the developers I contacted Zack Whittaker at TechCrunch, who was super helpful first in confirming the vulnerability and then in establishing contact with the devs. Zack wrote a great article covering the high-level story and implications, so this post will focus on a writeup of the technical details.

[UofTCTF 2024] basic-overflow

Sun, 28 Jan 2024 00:00:00 +0000

Problem Description

This challenge is simple. It just gets input, stores it to a buffer. It calls gets to read input, stores the read bytes to a buffer, then exits. What is gets, you ask? Well, it’s time you read the manual, no? Author: drec

This is a simple beginner pwn challenge.

Getting started

We connect with netcat and see the program silently accepts a random input, not too exciting.

Spatial joins with geopandas and shapely

Fri, 30 Sep 2022 00:00:00 +0000

Recently a project at work required me to write an automated and reusable script to add country data to NSDIC’s Free Air Gravity Anomaly dataset. The classic open-source solution would have been PyQGIS’s processing module, but QGIS strangely still doesn’t support editing CSV layers out of the box, which would make for annoying intermediate steps converting to and from GeoJSON.

Fortunately in 2022 Python has an excellent set of geospatial libraries available. After loading the IceBridge data into a pandas DataFrame, we can easily build a geopandas GeoDataFrame with a new column of Shapely Points initialized from the provided Longitude and Latitude fields: