Techly NewsGet the app

Get the latest tech news

Taking over 60k spyware user accounts with SQL injection


Serverless means it's secure, right?

Intercepting my test phone’s traffic confirms that the files are directly uploaded to Firebase, and reveals that the commands for features like live photos are also handled through FCM. This is going to reduce our attack surface by a lot - nothing in Firebase is going to be IDORable or vulnerable to SQLI, and some quick testing eliminates any of the usual traps like open storage buckets or client-side service account credentials. Dumping a stalkerware service’s database lets you do lots of fun things like identify who runs it and report it to various cloud providers who claim they’ll take it down.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of SQL

SQL

Photo of SQL injection

SQL injection

Related news:

News photo

Stalkerware firm gets scooped by SQL-slinging security snoop

News photo

My Database Is My Application: Rethinking Webhook Logic with DuckDB and SQL

News photo

Sirius: A GPU-native SQL engine

« Our favorite cheap tablet just got WAY cheaper, thanks to this Prime Day deal
Zorin OS »