The tool, a product called E-Detective, is a "real-time network forensics and lawful interception system" according to its developer, Taiwanese company Decision Group.
That description means it will allow customers to spy on people using mobile or Internet networks and capture data including usernames and passwords from services such as Gmail, Twitter, Facebook and even banking websites, according to International Business Times.
Now, a computer science student has uncovered a major security flaw in the E-Detective software which could allow anyone exploiting it to remotely access the system, execute code and read any of the captured data, IBT reported.
Mustafa al-Bassam, a computer science student at King's College London and former member of the Anonymous hacking group LulzSec, discovered the flaw after downloading a demo version of the software from the Decision Group website.
According to al-Bassam, a "script in the web root allows for unauthenticated users to read arbitrary files on the system. This may include database credentials and captured data intercepts." Al-Bassam has published a proof of concept for the vulnerability on GitHub.
A second vulnerability allows for the remote execution of code and overwrites sensitive system files, IBT reported.
According to the Decision Group website, E-Detective is used by more than 100 law enforcement agencies around the world, including government agencies, criminal investigation bureaus, and national and military police. The company calls the software "the most complete tool for conducting cybercrime investigations."
E-Detective works by "sniffing the network" it is monitoring and captures data packets before sending them to be reassembled and decoded. Unlike other products, E-Detective promises to "reconstruct the data to its original format" for the end users so that it will be seen the same way that it was seen on the network, IBT reported.
E-Detective also advertises as a network forensic tool for private enterprises to "protect sensitive data from data leakage."
E-Detecitve says it can decode over 140 Internet protocols including HTTP and even YouTube videos as standard, but it also offers an additional module which will allow users to decode the Https standard widely used to protect websites where sensitive data is being captured, such as banking and webmail services, IBT reported.
A promotional video for E-Detective names Gmail, Hotmail, Facebook and Twitter as services it can monitor, allowing the user to capture username and password details for all these services.
