A bug in the online forum for fertility tracking app Glow exposed the personal data of about 25 million users, according to a security researcher.
The bug exposed users’ first and last name, self-reported age group (such as children aged 13-18 and adults 19-25 and 26 and over), the user’s self-described location user ID, the application’s unique user ID (within Glow’s software platform), and any images uploaded by users, such as profile pictures.
Security researcher Ovi Liber told TechCrunch that he found a leak of user data from Glow’s developer API. Liber reported the bug to Glow in October and said Glow fixed the leak about a week later.
An API allows two or more internet-connected systems to communicate with each other, such as a user’s application and the application’s back-end servers. APIs may be public, but companies with sensitive data typically limit access to their own employees or trusted third-party developers.
Liber, however, said Glow’s API was accessible to anyone since he is not a developer.
An unnamed Glow spokesperson confirmed to TechCrunch that the bug has been fixed, but Glow declined to discuss the bug and its impact on the file or provide the representative’s name. As such, TechCrunch is not printing Glow’s response.
In a blog post published on Monday, Liber wrote that the vulnerability he found affected all 25 million Glow users. Liber told TechCrunch that accessing the data was relatively easy.
Contact us
Do you have more information about similar flaws in fertility tracking apps? We would love to hear from you. From a non-working device, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or email at lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.
“Basically I was connected to my Android device [network analysis tool] I quickly looked in the forum and saw the API call that returned the user data. That’s where I found IDOR,” Liber said, referring to a type of vulnerability where a server lacks the proper controls to ensure that access is granted only to authorized users or developers. “Where they say it should only be available to developers, [it’s] Not true, it’s a public API endpoint that returns data for each user — the attacker just needs to know how the API call is made.”
While the leaked data may not seem highly sensitive, one digital security expert believes Glow users deserve to know that this information is accessible.
“I think it’s a very big deal,” Eva Galperin, director of cybersecurity at the digital rights nonprofit Electronic Frontier Foundation, told TechCrunch, referring to Liber’s investigation. “Even without entering into the question of what it is and what it is not [private identifiable information] under which legal regime, people who use Glow could seriously reconsider their use if they knew that this data about them had been leaked.”
Glow, released in 2013, describes himself as “the world’s most comprehensive period and fertility tracking app”, which people can use to track their “menstrual cycle, ovulation and fertility signs, all in one place”.
In 2016, Consumer Reports found that data and feedback from Glow users about their sex lives, history of miscarriages, abortions and more was accessible because of a privacy loophole related to how the app allowed couples to link their accounts and share data. in 2020, Glow agreed to pay a $250,000 fine following an investigation by the California Attorney General, who accused the company of failing to “adequately ensure [users’] health information’ and ‘allow access to user information without user consent’.
