A stalkerware maker with a history of multiple data leaks and breaches now has a critical security vulnerability that allows anyone to take over any user account and steal their victim’s sensitive personal data, TechCrunch has confirmed. Independent security researcher Swarang Wade found the vulnerability, which allows anyone to reset the password of any user of the stalkerware app TheTruthSpy and its many companion Android spyware apps, leading to the hijacking of any account on the platform. Given the nature of TheTruthSpy, it’s likely that many of its customers are operating it without the consent of their targets, who are unaware that their phone data is being siphoned off to somebody else. This basic flaw shows, once again, that makers of consumer spyware such as TheTruthSpy — and its many competitors — cannot be trusted with anyone’s data. These surveillance apps not only facilitate illegal spying, often by abusive romantic partners, but they also have shoddy security practices that expose the personal data of both victims and perpetrators. To date, TechCrunch has counted at least 26 spyware operations that’ve leaked, exposed, or otherwise spilled data in recent years. By our count, this is at least the fourth security lapse involving TheTruthSpy. TechCrunch verified the vulnerability by providing the researcher with the username of several test accounts. The researcher quickly changed the passwords on the accounts. Wade attempted to contact the owner of TheTruthSpy to alert him of the flaw, but he did not receive any response. When contacted by TechCrunch, the spyware operation’s director Van (Vardy) Thieu said he “lost” the source code and cannot fix the bug. As of publication, the vulnerability still exists and presents a significant risk to the thousands of people whose phones are believed to be unknowingly compromised by TheTruthSpy’s spyware. Given the risk to the general public, we’re not describing the vulnerability in more detail so as to not aid mali...
First seen: 2025-08-25 18:14
Last seen: 2025-08-26 15:18