Fertility tracker Glow fixes bug that uncovered customers’ private knowledge

A bug within the on-line discussion board for the fertility monitoring app Glow uncovered the non-public knowledge of round 25 million customers, in line with a safety researcher.

The bug uncovered customers’ first and final names, self-reported age group (similar to youngsters aged 13-18 and adults aged 19-25, and aged 26 and older), the person’s self-described location, the app’s distinctive person identifier (inside Glow’s software program platform), and any user-uploaded photographs, similar to profile pictures.

Safety researcher Ovi Liber advised TechCrunch that he discovered person knowledge leaking from Glow’s developer API. Liber reported the bug to Glow in October, and stated Glow fastened the leak a few week later.

An API permits two or extra internet-connected methods to speak with one another, similar to a person’s app and the app’s backend servers. APIs might be public, however firms with delicate knowledge usually prohibit entry to its personal staff or trusted third-party builders.

Liber, nevertheless, stated that Glow’s API was accessible to anybody, as he isn’t a developer.

An unnamed Glow consultant confirmed to TechCrunch that the bug is fastened, however Glow declined to debate the bug and its impression on the document or present the consultant’s identify. As such, TechCrunch will not be printing Glow’s response.

In a blog post published on Monday, Liber wrote that the vulnerability he discovered affected all of Glow’s 25 million customers. Liber advised TechCrunch that accessing the information was comparatively straightforward.

“I basically had my Android device hooked up with [network analysis tool] Burp and poked around on the forum and saw that API call returning the user data. That’s where I found the IDOR,” Liber stated, referring to a kind of vulnerability the place a server lacks the right checks to make sure entry is barely granted to licensed customers or builders. “Where they say it should be available to devs only, [it’s] not true, it’s a public API endpoint that returns data for each user — simply attacker needs to know how the API call is made.”

Whereas the leaking knowledge won’t appear extraordinarily delicate, a digital safety professional believes Glow customers’ need to know that this info is accessible.

“I think that is a pretty big deal,” Eva Galperin, the cybersecurity director on the digital rights non-profit Digital Frontier Basis, advised TechCrunch, referring to Liber’s analysis. “Even without getting into the question of what is and is not [private identifiable information] under which legal regime, the people who use Glow might seriously reconsider their use if they knew that it leaked this data about them.”

Glow, which launched in 2013, describes itself as “the most comprehensive period tracker and fertility app in the world,” which individuals can use to trace their “menstrual cycle, ovulation, and fertility signs, all in one place.”

In 2016, Consumer Reports found that it was possible to access Glow person’s knowledge and feedback about their intercourse lives, historical past of miscarriages, abortions and extra, due to a privateness loophole associated to the best way the app allowed {couples} to hyperlink their accounts and share knowledge. In 2020, Glow agreed to pay a fine of $250,000 after an investigation by California’s Lawyer Basic, which accused the corporate of failing to “adequately safeguard [users’] health information,” and “allowed access to user’s information without the user’s consent.”