A controversial spying tool called E-Detective used by over 100 governments and law enforcement agencies around the world has a serious security vulnerability which could allow hackers access to highly sensitive information.
E-Detective is a product developed by Taiwanese company Decision Group and is described as a "real-time network forensics and lawful interception system" - which means it will allow customers to spy on people using mobile or internet networks and capture data including usernames and passwords from services such as Gmail, Twitter, Facebook and even banking websites.
A computer science student has uncovered a major security flaw in the E-Detective software which could allow anyone exploiting it to remotely access the system, execute code and read any of the captured data.
Mustafa al-Bassam, a second year computer science student at King's College London and former member of the Anonymous hacking group LulzSec, has published an advisory note after he discovered the flaw having downloaded a demo version of the software which is freely available from the Decision Group website.
According to al-Bassam, a "script in the web root allows for unauthenticated users to read arbitrary files on the system. This may include database credentials and captured data intercepts". Al-Bassam has published a proof of concept for the vulnerability on GitHub.
A second vulnerability allows for the remote execution of code and overwrites sensitive system files.
Sniffing the network
Decision Group boasts on its website that the software is being used by more that 100 law enforcement agencies around the world, including government agencies, criminal investigation bureaus, as well as national and military police. It calls E-Detective "the most complete tool for conducting cybercrime investigations".
IBTimes UK has asked Decision Group for a comment on the vulnerability reported by al-Bassam but at the time of publication it has not responded.
E-Detective works by "sniffing the network" it is monitoring and captures data packets before sending them to be reassembled and decoded.
Unlike other products E-Detective promises to "reconstruct the data to its original format" for the end users so that it will be seen the same way that it was seen on the network.
E-Detective also advertises as a network forensic tool for private enterprises to "protect sensitive data from data leakage".
E-Detecitve says it can decode over 140 internet protocols including HTTP and even YouTube videos as standard, but it also offers an additional module which will allow users to decode the Https standard widely used to protect websites where sensitive data is being captured, such as banking and webmail services.
The promotion video for E-Detective even names Gmail, Hotmail, Facebook and Twitter as services which it can monitor once the additional module is in place, allowing you capture username and password details for all these services.