A bug within the on-line discussion board for the fertility monitoring app Glow uncovered the private information of round 25 million customers, in keeping with a security researcher.
The bug uncovered customers’ first and final names, self-reported age group (corresponding to youngsters aged 13-18 and adults aged 19-25, and aged 26 and older), the consumer’s self-described location, the app’s distinctive consumer identifier (inside Glow’s software program platform), and any user-uploaded photographs, corresponding to profile images.
Safety researcher Ovi Liber advised information.killnetswitch that he discovered consumer information leaking from Glow’s developer API. Liber reported the bug to Glow in October, and stated Glow mounted the leak a couple of week later.
An API permits two or extra internet-connected programs to speak with one another, corresponding to a consumer’s app and the app’s backend servers. APIs will be public, however firms with delicate information usually prohibit entry to its personal workers or trusted third-party builders.
Liber, nonetheless, stated that Glow’s API was accessible to anybody, as he’s not a developer.
An unnamed Glow consultant confirmed to information.killnetswitch that the bug is mounted, however Glow declined to debate the bug and its impression on the file or present the consultant’s title. As such, information.killnetswitch will not be printing Glow’s response.
In a weblog submit revealed on Monday, Liber wrote that the vulnerability he discovered affected all of Glow’s 25 million customers. Liber advised information.killnetswitch that accessing the information was comparatively straightforward.
Contact Us
Do you have got extra details about related flaws in fertility-tracking apps? We’d love to listen to from you. From a non-work system, you’ll be able to contact Lorenzo Franceschi-Bicchierai securely on Sign at +1 917 257 1382, or by way of Telegram, Keybase and Wire @lorenzofb, or e mail lorenzo@techcrunch.com. You can also contact information.killnetswitch by way of SecureDrop.
“I mainly had my Android system attached with [network analysis tool] Burp and poked round on the discussion board and noticed that API name returning the consumer information. That’s the place I discovered the IDOR,” Liber stated, referring to a sort of vulnerability the place a server lacks the right checks to make sure entry is barely granted to licensed customers or builders. “The place they are saying it must be out there to devs solely, [it’s] not true, it’s a public API endpoint that returns information for every consumer — merely attacker must know the way the API name is made.”
“I feel that could be a fairly huge deal,” Eva Galperin, the cybersecurity director on the digital rights non-profit Digital Frontier Basis, advised information.killnetswitch, referring to Liber’s analysis. “Even with out moving into the query of what’s and isn’t [private identifiable information] beneath which authorized regime, the individuals who use Glow may critically rethink their use in the event that they knew that it leaked this information about them.”
Glow, which launched in 2013, describes itself as “probably the most complete interval tracker and fertility app on the planet,” which individuals can use to trace their “menstrual cycle, ovulation, and fertility indicators, multi functional place.”
In 2016, Client Reviews discovered that it was doable to entry Glow consumer’s information and feedback about their intercourse lives, historical past of miscarriages, abortions and extra, due to a privateness loophole associated to the way in which the app allowed {couples} to hyperlink their accounts and share information. In 2020, Glow agreed to pay a advantageous of $250,000 after an investigation by California’s Legal professional Normal, which accused the corporate of failing to “adequately safeguard [users’] well being data,” and “allowed entry to consumer’s data with out the consumer’s consent.”
