The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability. These services and their associated apps can be used to perform non-consensual, unauthorized monitoring and are commonly called "stalkerware." An unauthenticated remote attacker can access personal information collected from any device with one of the stalkerware variants installed.
https://www.kb.cert.org/vuls/id/229438