Fertility tracker Glow fixes bug that exposed users’ personal data


Share post:

A bug in the online forum for the fertility tracking app Glow exposed the personal data of around 25 million users, according to a security researcher.

The bug exposed users’ first and last names, self-reported age group (such as children aged 13-18 and adults aged 19-25, and aged 26 and older), the user’s self-described location, the app’s unique user identifier (within Glow’s software platform), and any user-uploaded images, such as profile photos.

Security researcher Ovi Liber told TechCrunch that he found user data leaking from Glow’s developer API. Liber reported the bug to Glow in October, and said Glow fixed the leak about a week later.

An API allows two or more internet-connected systems to communicate with each other, such as a user’s app and the app’s backend servers. APIs can be public, but companies with sensitive data typically restrict access to its own employees or trusted third-party developers.

Liber, however, said that Glow’s API was accessible to anyone, as he is not a developer.

An unnamed Glow representative confirmed to TechCrunch that the bug is fixed, but Glow declined to discuss the bug and its impact on the record or provide the representative’s name. As such, TechCrunch is not printing Glow’s response.

In a blog post published on Monday, Liber wrote that the vulnerability he found affected all of Glow’s 25 million users. Liber told TechCrunch that accessing the data was relatively easy.

Contact Us

Do you have more information about similar flaws in fertility-tracking apps? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email lorenzo@techcrunch.com. You also can contact TechCrunch via SecureDrop.

“I basically had my Android device hooked up with [network analysis tool] Burp and poked around on the forum and saw that API call returning the user data. That’s where I found the IDOR,” Liber said, referring to a type of vulnerability where a server lacks the proper checks to ensure access is only granted to authorized users or developers. “Where they say it should be available to devs only, [it’s] not true, it’s a public API endpoint that returns data for each user — simply attacker needs to know how the API call is made.”

While the leaking data might not seem extremely sensitive, a digital security expert believes Glow users’ deserve to know that this information is accessible.

“I think that is a pretty big deal,” Eva Galperin, the cybersecurity director at the digital rights non-profit Electronic Frontier Foundation, told TechCrunch, referring to Liber’s research. “Even without getting into the question of what is and is not [private identifiable information] under which legal regime, the people who use Glow might seriously reconsider their use if they knew that it leaked this data about them.”

Glow, which launched in 2013, describes itself as “the most comprehensive period tracker and fertility app in the world,” which people can use to track their “menstrual cycle, ovulation, and fertility signs, all in one place.”

In 2016, Consumer Reports found that it was possible to access Glow user’s data and comments about their sex lives, history of miscarriages, abortions and more, because of a privacy loophole related to the way the app allowed couples to link their accounts and share data. In 2020, Glow agreed to pay a fine of $250,000 after an investigation by California’s Attorney General, which accused the company of failing to “adequately safeguard [users’] health information,” and “allowed access to user’s information without the user’s consent.”

Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

Facebook plans to shut down its news tab in the U.S. and Australia

Meta is trying to distance itself from news media-related regulations and payment complexities as it is planning...

Google to remove some Indian apps over Play Store fees violation

Google has warned it will begin removing apps in India from its Play Store if developers do...

Intuitive Machines’ first moon lander also broke ground with safer, cheaper rocket-style propulsion

Intuitive Machines’ first lunar lander officially lost power today after spending seven days on the moon. The...

Lordstown Motors charged with misleading investors about the sales potential of its EV pickup

The Securities and Exchange Commission has charged bankrupt Lordstown Motors with misleading investors about the sales prospects...

A minor league baseball team trolls Disney with its ‘Steamboat Willie’ jerseys

I’ve seen enough: The prize for the best use of public domain Mickey Mouse goes to the...

Fisker is laying off 15% of staff and says it needs more cash ahead of a “difficult year”

Electric vehicle startup Fisker is planning to lay off 15% of its workforce and says it likely...

A leaky database spilled 2FA codes for the world’s tech giants

A technology company that routes millions of SMS text messages across the world has secured an exposed...

Ariel Kaye built a brand that’s outlasted the DTC boom

It’s no surprise that after 10 years, Parachute, the home lifestyle brand, stands as the dust settles...