Featured Article

Spyware found on US hotel check-in computers

The check-in computers at several hotels around the US are running a remote access app, which is leaking screenshots of guest information to the internet

Comment

a series of illustrated laptops featuring red, glitchy and matrix-like text symbolizing malware
Image Credits: Bryce Durbin / TechCrunch

A consumer-grade spyware app has been found running on the check-in systems of at least three Wyndham hotels across the United States, TechCrunch has learned.

The app, called pcTattletale, stealthily and continually captured screenshots of the hotel booking systems, which contained guest details and customer information. Thanks to a security flaw in the spyware, these screenshots are available to anyone on the internet, not just the spyware’s intended users. 

This is the most recent example of consumer-grade spyware exposing sensitive information because of a security flaw in the spyware itself. It’s also the second known time that pcTattletale has exposed screenshots of the devices on which the app is installed. Several other spyware apps in recent years had security bugs or misconfigurations that exposed the private and personal data of unwitting device owners, in some cases prompting action by government regulators.

Guest and reservation details captured and exposed

pcTattletale allows whomever controls it to remotely view the target’s Android or Windows device and its data, from anywhere in the world. pcTattletale’s website says the app “runs invisibly in the background on their workstations and can not be detected.”

But the bug means that anyone on the internet who understands how the security flaw works can download the screenshots captured by the spyware directly from pcTattletale’s servers. 

Security researcher Eric Daigle told TechCrunch that he found the compromised hotel check-in systems as part of an investigation into consumer-grade spyware. These apps are often referred to as “stalkerware” for their ability to be used to track people — including spouses and domestic partners — without their knowledge or consent. 

Daigle said he attempted to warn pcTattletale of the issue, but the company has not responded, and the flaw remains unfixed at the time of publication. Daigle disclosed limited details of pcTattletale’s leaking screenshot bug in a short blog post, without providing specifics so as to not help bad actors take advantage of the flaw. 

Daigle said pcTattletale periodically takes new screenshots of the device that the app is running on, sometimes every few seconds.

The screenshots from two Wyndham hotels, seen by TechCrunch, show the names and reservation details of guests on a web portal provided by travel tech giant Sabre. The screenshots of the web portals also display guests’ partial payment card numbers.

Another screenshot showed access to a third Wyndham hotel’s check-in system, which at the time was logged into Booking.com’s administration portal used to manage a guest’s reservation.

It’s not known who planted the app or how the app was planted — for example, if hotel employees were tricked into installing it, or if the hotel owner intended the spyware to be used to monitor employee behavior. pcTattletale markets itself as a way to monitor employees, among other uses.

The manager of one affected hotel told TechCrunch by phone that they were unaware that the spyware was taking screenshots of their check-in computer. The managers of the other two hotels did not return TechCrunch’s calls or emails. TechCrunch is not naming the specific hotels given the risk of retaliation against hotel employees.

Wyndham spokesperson Rob Myers told TechCrunch in an email: “Wyndham is a franchise organization, meaning all of our hotels in the U.S. are independently owned and operated.” Wyndham would not say if it was aware that pcTattletale was used on the front-desk computers of its branded hotels or if the use of pcTattletale was approved by Wyndham’s own policies.

Booking.com told TechCrunch that its own systems were not compromised by the spyware, but that this case seemed like an example of how hotel systems are targeted by cybercriminals to get access to the hotel’s accounts.

“Some of our accommodation partners have unfortunately been targeted by very convincing and sophisticated phishing tactics, encouraging them to click on links or download attachments outside of our system that enable malware to load on their machines and in some cases, lead to unauthorized access to their Booking.com account,” said Angela Cavis, a spokesperson for Booking.com. “These bad actors then attempt to impersonate the partner (or even Booking.com) — sometimes very convincingly — to request payment from customers outside of the policy in their booking confirmation.”

BBC News reported last December that cybercriminals had obtained access to the administration portals of individual hotels that use Booking.com. With this access, the criminals then sent messages to customers from the company’s app to trick them into paying them instead of the hotel. 

It’s not known if pcTattletale or other spyware is linked to previous incidents, and Booking.com said it was investigating.

“All tracks covered”

There is a long history of stalkerware apps that ostensibly market themselves for legitimate uses — tracking your own children is legal in the United States — but also promote, or outright say, that the apps can be used to target people without their knowledge, often spouses and domestic partners, which is unlawful.

pcTattletale is sold under the guise of child and employee monitoring software, but the company also promotes its app for use against “spouses who worry that their partner might be cheating.” 

a screenshot of pcTattletale's member portal, which asks "Do you want your users to know they are being monitored," and if the user says "no," it presents a download box along with the text: "Users will not know pcTattletale is installed and running. 'We Do It For You' Remote Installation service."
A screenshot of pcTattletale’s member portal, which allows users to download its monitoring app that “users will not know pcTattletale is installed and running.” Image Credits: TechCrunch (screenshot)

pcTattletale develops spyware apps for Android and Windows and both apps require physical access to a target’s device to install. pcTattletale provides its Windows spyware app as a one-click download that can be installed in a few seconds, according to TechCrunch’s own tests and analysis of the spyware. 

pcTattletale also offers a service called “We Do It For You,” which the company says will help install the spyware on the target’s computer on the customer’s behalf. 

“We put pcTattletale on their Windows Computer for you. Just pick a time,” pcTattletale’s website tells customers inside its members’ portal. “You will get an email with instructions for us to access their computer. It takes us about 10 minutes. No traces left behind. All tracks covered.” The customer is then sent a link “for our techncian [sic] to access the computer.”

Stalkerware operates in a murky legal space in the U.S., where the possession of spyware itself is not illegal, but its use against people without their knowledge and consent is unlawful. U.S. prosecutors have charged stalkerware developers in the past for facilitating non-consensual surveillance, as pcTattletale says it provides.

Bryan Fleming, who founded and maintains pcTattletale, did not respond to TechCrunch’s request for comment. 


If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has resources if you think your phone has been compromised by spyware.

To contact this reporter, get in touch on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.

More TechCrunch

Fisker is just a few days into its Chapter 11 bankruptcy, and the fight over its assets is already charged, with one lawyer claiming the startup has been liquidating assets…

The fight over Fisker’s assets is already heating up

A hacker is advertising customer data allegedly stolen from the Australia-based live events and ticketing company TEG on a well-known hacking forum. On Thursday, a hacker put up for sale…

Hacker claims to have 30 million customer records from Australian ticket seller giant TEG

Welcome to Startups Weekly — Haje‘s weekly recap of everything you can’t miss from the world of startups. Sign up here to get it in your inbox every Friday. Elon…

Tesla makes Musk best-paid CEO of all time and Fisker bites the dust

Dot is a new AI companion and chatbot that thrives on getting to know your innermost thoughts and feelings.

Dot’s AI really, really wants to get to know you

The e-fuels startup is working on producing fuel for aviation and maritime shipping using carbon dioxide and other waste carbon streams.

E-fuels startup Aether Fuels is raising $34.3 million, per filing

Fisker was facing “potential financial distress” as early as last August, according to a new filing in its Chapter 11 bankruptcy proceeding, which the EV startup initiated earlier this week.…

Fisker faced financial distress as early as last August

Cruise, the self-driving subsidiary of General Motors, has agreed to pay a $112,500 fine for failing to provide full information about an accident involving one of its robotaxis last year.…

Cruise clears key hurdle to getting robotaxis back on roads in California

Feel Therapeutics has a pretty original deck, with some twists we rarely see; the company did a great job telling the overall story.

Pitch Deck Teardown: Feel Therapeutics’ $3.5M seed deck

The Rockset buy fits into OpenAI’s broader recent strategy of investing heavily in its enterprise sales and tech orgs.

OpenAI buys Rockset to bolster its enterprise AI

The U.S. government announced sanctions against 12 executives and senior leaders of the Russia-based cybersecurity giant Kaspersky. In a press release, the Department of the Treasury’s Office of Foreign Assets…

US government sanctions Kaspersky executives

Style DNA, an AI-powered fashion stylist app, creates a personalized style profile from a single selfie. The app is particularly useful for people interested in seasonal color analysis, a process…

Style DNA gets a generative AI chatbot that suggests outfit ideas based on your color type

Rates of depression, anxiety and suicidal thoughts are surging among U.S. teens. A recent report from the Center of Disease Control found that nearly one in three girls have seriously…

Khosla-backed Marble, built by former Headway founders, offers affordable group therapy for teens

Cover says what sets it apart is the underlying technology it employs, which has been exclusively licensed from NASA’s Jet Propulsion Laboratory.

A new startup from Figure’s founder is licensing NASA tech in a bid to curb school shootings

Spotify is introducing a new “Basic” streaming plan in the United States, the company announced on Friday. The new plan costs $10.99 per month and includes all of the benefits…

Spotify launches a new Basic streaming plan in the US

Photographers say the social media giant is applying a ‘Made with AI’ label to photos they took, causing confusion for users.

Meta is tagging real photos as ‘Made with AI,’ say photographers

Website building platform Squarespace is selling Tock, its restaurant reservation service, to American Express in a deal worth $400 million — the exact figure that Squarespace paid for the service…

Squarespace sells restaurant reservation system Tock to American Express for $400M

Featured Article

Change Healthcare confirms ransomware hackers stole medical records on a ‘substantial proportion’ of Americans

The February ransomware attack on UHG-owned Change Healthcare stands as one of the largest-ever known digital thefts of U.S. medical records.

20 hours ago
Change Healthcare confirms ransomware hackers stole medical records on a ‘substantial proportion’ of Americans

Google said today that it globally paused its experiment that aimed to allow new kinds of real-money games on the Play Store, citing the challenges that come with the lack…

Google pauses its experiment to expand real-money games on the Play Store

Venture firms raised $9.3 billion in Q1 according to PitchBook data, which means this year likely won’t match or surpass 2023’s $81.8 billion total. While emerging managers are feeling the…

Kevin Hartz’s A* raises its second oversubscribed fund in three years

Google is making reviews of all your movies, TV shows, books, albums and games visible under one profile page starting June 24, according to an email sent to users last…

Google is making your movie and TV reviews visible under a new profile page

Zepto, an Indian quick commerce startup, has more than doubled its valuation to $3.6 billion in a new funding round of $665 million.

Zepto, a 10-minute delivery app, raises $665M at $3.6B valuation

Speak, the AI-powered language learning app, has raised new money from investors at double its previous valuation.

Language learning app Speak nets $20M, doubles valuation

SpaceX unveiled Starlink Mini, a more portable version of its satellite internet product that is small enough to fit inside a backpack.  Early Starlink customers were invited to purchase the…

SpaceX debuts portable Starlink Mini for $599

Ali Rathod-Papier has stepped down from her role as global head of compliance at corporate card expense management startup Brex to join venture firm Andreessen Horowitz (a16z) as a partner…

Brex’s compliance head has left the fintech startup to join Andreessen Horowitz as a partner

U.S. officials imposed the “first of its kind” ban arguing that Kaspersky threatens U.S. national security because of its links to Russia.

US bans sale of Kaspersky software citing security risk from Russia 

Apple has released Final Cut Pro for iPad 2 and Final Cut Camera, the company announced on Thursday. Both apps were previously announced during the company’s iPad event in May.…

Apple releases Final Cut Pro for iPad 2 and Final Cut Camera

Paris has quickly established itself as a major European center for AI startups, and now another big deal is in the works.

Poolside is raising $400M+ at a $2B valuation to build a supercharged coding co-pilot

The space industry is all abuzz about how SpaceX’s Starship, Blue Origin’s New Glenn, and other heavy-lift rockets will change just about everything. One likely consequence is that spacecraft will…

Gravitics prepares a testing gauntlet for a new generation of giant spacecraft

LTK (formerly LiketoKnow.it and RewardStyle), the influencer shopping app with 40 million monthly users, announced on Thursday the launch of a free direct message tool for creators to instantly share…

Influencer shopping app LTK gets an automatic direct message tool

YouTube appears to be taking a firm stance against Premium subscribers who attempt to use a VPN (virtual private network) to access cheaper subscription prices in other countries. This week,…

YouTube confirms crackdown on VPN users accessing cheaper Premium plans