It's unexpected to me that someone with the technical knowhow to build spyware like this and a nice web interface for it, made basic mistakes like storing passwords in plaintext and piping unescaped user input into database queries.
replies(5):
In many cases it's just not something that's taught at school or that is covered in training. So it's a mindset that just isn't there, even when they're great at other parts of the craft.
If you're building anything that is going to be exposed to the public Internet and you aren't, at some point, going through the exercise of "how can people break or abuse or hack this" then you're missing a step for sure.