A bug in the online forum of fertility tracking app Glow has exposed the personal data of around 25 million users, security researchers say.
This bug allows the user's first and last name, self-declared age range (kids 13-18, adults 19-25, 26+, etc.), user's self-declared location, and the app's unique user ID (Glow's (within the software platform), and user-uploaded images such as profile pictures.
Security researcher Ovi Liber told TechCrunch that he discovered user data was being leaked from Glow's developer API. Liber reported the bug to Glow in October, and Glow said it fixed the leak about a week later.
APIs allow two or more internet-connected systems, such as your app and your app's backend server, to communicate with each other. APIs can be made public, but companies with sensitive data typically restrict access to their own employees or trusted third-party developers.
However, since Liber is not a developer, he said anyone can access Glow's API.
An anonymous Glow representative confirmed to TechCrunch that the bug has been fixed, but Glow declined to discuss the bug or its impact on the record or to reveal the representative's name. As a result, TechCrunch is not publishing Glow's answer.
In a blog post published Monday, Liber wrote that the vulnerabilities he discovered affected all of Glow's 25 million users. Liber told TechCrunch that accessing the data was relatively easy.
inquiry
Do you have more information about similar flaws in fertility tracking apps? We'd love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely from any non-work device on Signal (+1 917 257 1382) or on Telegram, Keybase and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.
“I basically use Android devices. [network analysis tool] I burped and looked in the forum and noticed that the API call was returning user data. That's where we found IDOR,” Liber said, referring to the types of vulnerabilities where servers lack proper checks to ensure only authorized users or developers are allowed access. Mentioned. “They say it should only be available to developers; [it’s] That's not true. This is a public API endpoint that returns data for each user. The attacker simply needs to know how her API calls are made. ”
Although the leaked data may not seem all that sensitive, digital security experts believe that Glow users have a right to know that this information is accessible.
“I think this is a pretty big problem,” Eva Galperin, director of cybersecurity at the digital rights nonprofit Electronic Frontier Foundation, told TechCrunch, referring to Liber's research. “Without going into the question of what is not, [private identifiable information] Under this legal system, people who use Glow might seriously reconsider using it if they learn that Glow has leaked data about them. ”
Launched in 2013, Glow bills itself as “the world's most comprehensive period tracking and fertility app,” and allows people to “track their menstrual cycles, ovulation, and fertility signs.” You can track everything in one place.
In 2016, Consumer Reports reported that data about Glow users' sex lives, miscarriages, abortion history, etc. I discovered that it was possible to access the comments. . In 2020, Grow agreed to pay a $250,000 fine following an investigation by California's attorney general, who accused the company of “failing to provide adequate security.” [users’] “Health Information,” and “Allowing Access to Your Information Without Your Consent.”