We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

US Hotel Check-In Systems Found Harboring Spyware App

US Hotel Check-In Systems Found Harboring Spyware App
Author Image Husain Parvez
Husain Parvez Published on 25th May 2024 Cybersecurity Researcher

A consumer-grade spyware app, pcTattletale, has been discovered to be running on check-in systems at three Wyndham hotels in the United States, according to a TechCrunch report. The spyware captures screenshots of the hotel booking systems, exposing guest names, reservation details, and partial card numbers. Due to a security flaw in the spyware, this information is available to everyone on the internet — not just the spyware’s intended users.

Eric Daigle, the security researcher who uncovered the issue, attempted to report it to pcTattletale, but the company did not respond, leaving the flaw unfixed. According to Daigle, anyone on the internet who understands how the security flaw works can download the screenshots.

Captured screenshots from two Wyndham hotels showed guest details on a web portal provided by travel tech giant Sabre, while a third hotel's check-in system was logged into Booking.com’s administration portal.

Daigle's findings were part of a broader investigation into consumer-grade spyware, often referred to as "stalkerware" for its use in tracking people without their knowledge or consent. The exact method of how the spyware was installed remains unclear. Potential scenarios include a malicious third-party tricking hotel employees into installing the software or deliberate installation by hotel management.

Vice highlighted the lax security practices of many stalkerware companies, including pcTattletale, which markets itself for monitoring spouses without their consent. The app allows anyone to view screenshots of infected devices simply by visiting specific URLs.

Security researcher Jo Coscia demonstrated that pcTattletale uploads victim data to an AWS server that requires no authentication, making it possible for attackers to access these images. In addition, Bryan Fleming, the owner of pcTattletale, admitted to retaining the data of free trial users for longer than what’s stated in promotional emails, citing user needs to recover screenshots post-trial.

In response to the incident, Wyndham emphasized that all its hotels in the US are independently owned and operated and did not confirm whether they were aware of or approved pcTattletale’s use. Booking.com noted that its systems were not compromised but acknowledged that phishing tactics have targeted its accommodation partners.

This incident adds to the growing concerns about the misuse of commercial spyware, a trend highlighted in a recent report by Google's Threat Analysis Group (TAG). The report details how spyware, often supplied by European-based startups, is increasingly used by governments for surveillance. Last year, cybersecurity experts also discovered two spyware apps on Google Play disguised as file management tools, which have threatened the security of over 1.5 million users by transmitting their personal data to servers in China.

About the Author

Husain Parvez is a Cybersecurity Researcher and News Writer at vpnMentor, focusing on VPN reviews, detailed how-to guides, and hands-on tutorials. Husain is also a part of the vpnMentor Cybersecurity News bulletin and loves covering the latest events in cyberspace and data privacy.