A bug within the on-line discussion board for the fertility monitoring app Glow uncovered the private knowledge of round 25 million customers, in response to a safety researcher.
The bug uncovered customers’ first and final names, self-reported age group (resembling kids aged 13-18 and adults aged 19-25, and aged 26 and older), the consumer’s self-described location, the app’s distinctive consumer identifier (inside Glow’s software program platform), and any user-uploaded pictures, resembling profile pictures.
Safety researcher Ovi Liber advised TechCrunch that he discovered consumer knowledge leaking from Glow’s developer API. Liber reported the bug to Glow in October, and stated Glow mounted the leak a few week later.
An API permits two or extra internet-connected methods to speak with one another, resembling a consumer’s app and the app’s backend servers. APIs could be public, however corporations with delicate knowledge usually prohibit entry to its personal workers or trusted third-party builders.
Liber, nevertheless, stated that Glow’s API was accessible to anybody, as he isn’t a developer.
An unnamed Glow consultant confirmed to TechCrunch that the bug is mounted, however Glow declined to debate the bug and its affect on the report or present the consultant’s title. As such, TechCrunch is just not printing Glow’s response.
In a weblog publish revealed on Monday, Liber wrote that the vulnerability he discovered affected all of Glow’s 25 million customers. Liber advised TechCrunch that accessing the info was comparatively straightforward.
Contact Us
Do you’ve gotten extra details about related flaws in fertility-tracking apps? We’d love to listen to from you. From a non-work system, you’ll be able to contact Lorenzo Franceschi-Bicchierai securely on Sign at +1 917 257 1382, or through Telegram, Keybase and Wire @lorenzofb, or e-mail lorenzo@techcrunch.com. You can also contact TechCrunch through SecureDrop.
“I principally had my Android system connected with [network analysis tool] Burp and poked round on the discussion board and noticed that API name returning the consumer knowledge. That’s the place I discovered the IDOR,” Liber stated, referring to a kind of vulnerability the place a server lacks the right checks to make sure entry is barely granted to approved customers or builders. “The place they are saying it must be obtainable to devs solely, [it’s] not true, it’s a public API endpoint that returns knowledge for every consumer — merely attacker must understand how the API name is made.”
Whereas the leaking knowledge may not appear extraordinarily delicate, a digital safety professional believes Glow customers’ should know that this info is accessible.
“I believe that could be a fairly massive deal,” Eva Galperin, the cybersecurity director on the digital rights non-profit Digital Frontier Basis, advised TechCrunch, referring to Liber’s analysis. “Even with out stepping into the query of what’s and isn’t [private identifiable information] below which authorized regime, the individuals who use Glow may critically rethink their use in the event that they knew that it leaked this knowledge about them.”
Glow, which launched in 2013, describes itself as “essentially the most complete interval tracker and fertility app on the earth,” which individuals can use to trace their “menstrual cycle, ovulation, and fertility indicators, multi functional place.”
In 2016, Client Stories discovered that it was potential to entry Glow consumer’s knowledge and feedback about their intercourse lives, historical past of miscarriages, abortions and extra, due to a privateness loophole associated to the way in which the app allowed {couples} to hyperlink their accounts and share knowledge. In 2020, Glow agreed to pay a nice of $250,000 after an investigation by California’s Legal professional Basic, which accused the corporate of failing to “adequately safeguard [users’] well being info,” and “allowed entry to consumer’s info with out the consumer’s consent.”
