A new security flaw in TheTruthSpy phone spyware is putting victims at risk

A newly discovered security vulnerability in TheTruthSpy, a notorious stalkerware application, has raised serious concerns over the privacy of its users. This flaw enables unauthorized individuals to reset the passwords of any account on the platform, jeopardizing the sensitive personal information of countless victims. The vulnerability was identified by independent security expert Swarang Wade, highlighting a significant risk for individuals unaware that their data is being exploited. TheTruthSpy has a troubling history of data breaches, and this latest issue reflects the ongoing inadequacies in the security practices of consumer spyware applications. Often utilized by abusive partners, these apps not only facilitate illegal surveillance but also fail to protect the data of both victims and perpetrators. Recent investigations revealed that at least 26 spyware operations have suffered similar data leaks in recent years, with TheTruthSpy experiencing its fourth security breach to date. Upon discovering the vulnerability, Wade attempted to notify the owner of TheTruthSpy, Van (Vardy) Thieu, but received no response. When contacted by reporters, Thieu claimed to have lost the source code needed to address the flaw. As of now, the vulnerability remains unpatched, continuing to pose a significant threat to the thousands of individuals whose devices may be compromised by TheTruthSpy’s invasive software. TheTruthSpy, operated by Vietnam-based 1Byte Software, has been a prominent player in the spyware industry for nearly a decade. Its widespread use is supported by various similarly branded Android apps, all utilizing the same underlying code, which raises further security concerns across multiple platforms. Previous investigations by TechCrunch have revealed that TheTruthSpy previously exposed the private information of over 400,000 victims, including messages, photos, and location data. In 2023, another incident resulted in a data breach affecting an additional 50,000 individuals, with TechCrunch receiving a portion of this stolen data. Although some aspects of TheTruthSpy's operations have ceased, the application has attempted to rebrand as PhoneParental, while Thieu remains involved in developing surveillance software. Recent analyses indicate that the new app, MyPhones.app, still relies on the same vulnerable infrastructure as TheTruthSpy. As these spyware operations continue to put victims at risk, it is crucial for individuals to remain vigilant. Resources are available for those who suspect their devices may be compromised, and support is offered for victims of domestic abuse through the National Domestic Violence Hotline at 1-800-799-7233. For further information on identifying and removing stalkerware, TechCrunch provides a detailed guide for users.