Taking over 60k spyware user accounts with SQL injection

Summary

Background# Recently I was looking through a database of known stalkerware services and found one I wasn’t familiar with: Catwatchful. It seemed to be a full-featured Android spy app, to actually be its own service as opposed to a millionth FlexiSpy reseller, and to offer a 3-day free trial. Aside from a boilerplate disclaimer to only use it with consent, it also pretty brazenly advertised itself as stalkerware in the FAQ: Q: Can I monitor a phone without them knowing? A: Yes, you can monitor a phone without them knowing with mobile phone monitoring software. The app is invisible and undetectable on the phone. It works in a hidden and stealth mode. Apparently still unsatisfied, it boasted even further about “absolute stealth” in a list of features: Catwatchful is invisible. It cannot be detected. It cannot be uninstalled. It cannot be stopped. It cannot be closed. Only you can access the information it collects. Let’s see about that last part, shall we? Part 0: Setup# I began by making a free trial account on the website. Interestingly, this triggered two separate POST requests: METHOD: POST URL: https://identitytoolkit.googleapis.com/v1/accounts:signUp?key=AIzaSyBVQYU9-rygrs-NQhOdhtY1iC02JOq_l0U User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br, zstd X-Client-Version: Firefox/JsCore/10.12.2/FirebaseCore-web X-Firebase-gmpid: 1:290254967732:android:1be5a596e0649f3e Content-Type: application/json Origin: https://cp.catwatchful.com DNT: 1 Sec-GPC: 1 Connection: keep-alive Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site Priority: u=6 TE: trailers {"returnSecureToken":true,"email":"test123@edaigle.ca","password":"test123","clientType":"CLIENT_TYPE_WEB"} STATUS: 200 OK <uninteresting successful firebase account creation response> and METHOD: POST URL: https://catwatchful.pink/webservice/servicios.php?operation=newUser&email=test123@edaigle...