A bug in the online forum for the fertility tracking app Glow exposed the personal data of around 25 million users, according to a security researcher.
The bug exposed users’ first and last names, self-reported age group (such as children aged 13-18 and adults aged 19-25, and aged 26 and older), the user’s self-described location, the app’s unique user identifier (within Glow’s software platform), and any user-uploaded images, such as profile photos.
Security researcher Ovi Liber told TechCrunch that he found user data leaking from Glow’s developer API. Liber reported the bug to Glow in October, and said Glow fixed the leak about a week later.
An API allows two or more internet-connected systems to communicate with each other, such as a user’s app and the app’s backend servers. APIs can be public, but companies with sensitive data typically restrict access to its own employees or trusted third-party developers.
Liber, however, said that Glow’s API was accessible to anyone, as he is not a developer.
An unnamed Glow representative confirmed to TechCrunch that the bug is fixed, but Glow declined to discuss the bug and its impact on the record or provide the representative’s name. As such, TechCrunch is not printing Glow’s response.
In a blog post published on Monday, Liber wrote that the vulnerability he found affected all of Glow’s 25 million users. Liber told TechCrunch that accessing the data was relatively easy.
Do you have more information about similar flaws in fertility-tracking apps? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email firstname.lastname@example.org. You also can contact TechCrunch via SecureDrop.
“I basically had my Android device hooked up with [network analysis tool] Burp and poked around on the forum and saw that API call returning the user data. That’s where I found the IDOR,” Liber said, referring to a type of vulnerability where a server lacks the proper checks to ensure access is only granted to authorized users or developers. “Where they say it should be available to devs only, [it’s] not true, it’s a public API endpoint that returns data for each user — simply attacker needs to know how the API call is made.”
While the leaking data might not seem extremely sensitive, a digital security expert believes Glow users’ deserve to know that this information is accessible.
“I think that is a pretty big deal,” Eva Galperin, the cybersecurity director at the digital rights non-profit Electronic Frontier Foundation, told TechCrunch, referring to Liber’s research. “Even without getting into the question of what is and is not [private identifiable information] under which legal regime, the people who use Glow might seriously reconsider their use if they knew that it leaked this data about them.”
Glow, which launched in 2013, describes itself as “the most comprehensive period tracker and fertility app in the world,” which people can use to track their “menstrual cycle, ovulation, and fertility signs, all in one place.”
In 2016, Consumer Reports found that it was possible to access Glow user’s data and comments about their sex lives, history of miscarriages, abortions and more, because of a privacy loophole related to the way the app allowed couples to link their accounts and share data. In 2020, Glow agreed to pay a fine of $250,000 after an investigation by California’s Attorney General, which accused the company of failing to “adequately safeguard [users’] health information,” and “allowed access to user’s information without the user’s consent.”