The vulnerability in question is known as an insecure direct object reference, or IDOR, a class of bug that exposes files or data on a server because of sub-par, or no, security controls in place. It’s similar to needing a key to unlock your mailbox, but that key can also unlock every other mailbox in your neighborhood. IDORs are one of the most common kinds of vulnerability; TechCrunch has found and privately disclosed similar flaws before, such as when LabCorp exposed thousands of lab test results, and the recent case of CDC-approved health app Docket exposing COVID-19 digital vaccine records. IDORs have an advantage in that they can often be fixed at the server level without needing to roll out a software update to an app, or in this case a fleet of apps.
Whittaker, Z. (2022, February 22). Behind the stalkerware network spilling the private phone data of hundreds of thousands. TechCrunch. https://techcrunch.com/2022/02/22/stalkerware-network-spilling-data/