\n<\/p>\n
A bug in the online forum for the fertility tracking app Glow exposed the personal data of around 25 million users, according to a security researcher.<\/p>\n
The bug exposed users\u2019 first and last names, self-reported age group (such as children aged 13-18 and adults aged 19-25, and aged 26 and older), the user\u2019s self-described location, the app\u2019s unique user identifier (within Glow\u2019s software platform), and any user-uploaded images, such as profile photos.<\/p>\n
Security researcher Ovi Liber told TechCrunch that he found user data leaking from Glow\u2019s developer API. Liber reported the bug to Glow in October, and said Glow fixed the leak about a week later.<\/p>\n
An API allows two or more internet-connected systems to communicate with each other, such as a user\u2019s app and the app\u2019s backend servers. APIs can be public, but companies with sensitive data typically restrict access to its own employees or trusted third-party developers.<\/p>\n
Liber, however, said that Glow\u2019s API was accessible to anyone, as he is not a developer.<\/p>\n
An unnamed Glow representative confirmed to TechCrunch that the bug is fixed, but Glow declined to discuss the bug and its impact on the record or provide the representative\u2019s name. As such, TechCrunch is not printing Glow\u2019s response.<\/p>\n
In a blog post published on Monday<\/a>, Liber wrote that the vulnerability he found affected all of Glow\u2019s 25 million users. Liber told TechCrunch that accessing the data was relatively easy.<\/p>\n \t\tDo you have more information about similar flaws in fertility-tracking apps? We\u2019d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email lorenzo@techcrunch.com.<\/a> You also can contact TechCrunch via SecureDrop<\/a>.\t<\/div>\n \u201cI basically had my Android device hooked up with [network analysis tool] Burp and poked around on the forum and saw that API call returning the user data. That\u2019s where I found the IDOR,\u201d Liber said, referring to a type of vulnerability where a server lacks the proper checks to ensure access is only granted to authorized users or developers. \u201cWhere they say it should be available to devs only, [it\u2019s] not true, it\u2019s a public API endpoint that returns data for each user \u2014 simply attacker needs to know how the API call is made.\u201d<\/p>\n While the leaking data might not seem extremely sensitive, a digital security expert believes Glow users\u2019 deserve to know that this information is accessible.<\/p>\n \u201cI think that is a pretty big deal,\u201d Eva Galperin, the cybersecurity director at the digital rights non-profit Electronic Frontier Foundation, told TechCrunch, referring to Liber\u2019s research. \u201cEven without getting into the question of what is and is not [private identifiable information] under which legal regime, the people who use Glow might seriously reconsider their use if they knew that it leaked this data about them.\u201d<\/p>\n Glow, which launched in 2013, describes itself<\/a> as \u201cthe most comprehensive period tracker and fertility app in the world,\u201d which people can use to track their \u201cmenstrual cycle, ovulation, and fertility signs, all in one place.\u201d<\/p>\n In 2016, Consumer Reports found that it was possible to access<\/a> Glow user\u2019s data and comments about their sex lives, history of miscarriages, abortions and more, because of a privacy loophole related to the way the app allowed couples to link their accounts and share data. In 2020, Glow agreed to pay a fine of $250,000<\/a> after an investigation by California\u2019s Attorney General, which accused the company of failing to \u201cadequately safeguard [users\u2019] health information,\u201d and \u201callowed access to user\u2019s information without the user\u2019s consent.\u201d<\/p>\n<\/p><\/div>\nContact Us<\/h4>\n