A bug in the online forums of fertility tracking app Glow exposed the personal data of about 25 million users, according to a security researcher.
The vulnerability exposed the user’s first and last name, self-reported age group (such as children 13-18, adults 19-25, and 26 and older), the user’s self-described location, and the application’s unique user identifier (within Glow’s software platform) and any user-uploaded images, such as profile photos.
Security researcher Ovi Liber told TechCrunch that he discovered user data leaked from Glow’s developer API. Liber reported the bug to Glow in October, and said Glow fixed the vulnerability about a week later.
APIs allow two or more Internet-connected systems to communicate with each other, such as a user’s application and the application’s backend server. APIs can be public, but companies with sensitive data often restrict access to their own employees or trusted third-party developers.
However, Liber said that anyone can access Glow’s API because he is not a developer.
An unnamed Glow representative confirmed to TechCrunch that the bug has been fixed, but Glow declined to discuss the bug and its impact on records, or provide the representative’s name. Therefore, TechCrunch will not publish Glow’s response.
Liber wrote in a blog post published on Monday that the vulnerability he discovered affected all of Glow’s 25 million users. Liber told TechCrunch that accessing the data is relatively easy.
contact us
Do you have more information about similar flaws in fertility tracking apps? We’d love to hear from you. On non-work devices, you can contact Lorenzo Franceschi-Bicchierai securely via Signal (phone +1 917 257 1382) or via Telegram, Keybase and Wire @lorenzofb or email lorenzo@techcrunch.com. You can also contact TechCrunch through SecureDrop.
“My Android device is basically the same as [network analysis tool] Burp was wandering around the forum and saw API calls returning user data. This is where I discovered IDOR. Liber said, referring to a vulnerability in which servers lack proper checks to ensure access is only granted to authorized users or developers. “They said it should only be used by developers, [it’s] It’s not true that it’s a public API endpoint that returns data for each user – it’s just that the attacker needs to know how the API call is made. “
While the leaked data may not appear to be extremely sensitive, digital security experts believe Glow users should know that the information is accessible.
“I think it’s a big deal,” Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, a digital rights nonprofit, told TechCrunch of Liber’s research. “Even without discussing what is and is not [private identifiable information] Under this legal regime, people who use Glow might seriously reconsider their use if they knew that Glow was leaking data about them. “
Launched in 2013, Glow describes itself as “the world’s most comprehensive period tracker and fertility app” that people can use to track their “menstrual cycle, ovulation and fertility signs, all in one place.”
In 2016, Consumer Reports found that privacy vulnerabilities in the way the app allowed couples to link accounts and share data allowed access to Glow users’ data and comments about their sex lives, miscarriages, abortions, and more. . In 2020, Glow agreed to pay a $250,000 fine following an investigation by California’s attorney general, who accused the company of failing to “adequately safeguard [users’] Health Information” and “Allow access to user information without user consent.”
