Fertility tracker Glow fixes bug that exposed users’ personal data
Reading Time: 2 minutesA bug in the online forum for the fertility tracking app Glow exposed the personal data of around 25 million users, according to a security researcher.
The bug exposed users’ first and last names, self-reported age group (such as children aged 13-18 and adults aged 19-25, and aged 26 and older), the user’s self-described location, the app’s unique user identifier (within Glow’s software platform) and any user-uploaded images, such as profile photos.
An API allows two or more internet-connected systems to communicate with each other, such as a user’s app and the app’s back-end servers. APIs can be public, but companies with sensitive data typically restrict access to its own employees or trusted third-party developers.
Liber, however, said that Glow’s API was accessible to anyone, as he is not a developer.
‘I basically had my Android device hooked up with [network analysis tool] Burp and poked around on the forum and saw that API call returning the user data. That’s where I found the IDOR,’ Liber said, referring to a type of vulnerability where a server lacks the proper checks to ensure access is only granted to authorized users or developers. ‘Where they say it should be available to devs only, [it’s] not true, it’s a public API endpoint that returns data for each user — simply attacker needs to know how the API call is made.’
While the leaking data might not seem extremely sensitive, a digital security expert believes Glow users deserve to know that this information is accessible.
Glow, which launched in 2013, describes itself as ‘the most comprehensive period tracker and fertility app in the world,’ which people can use to track their ‘menstrual cycle, ovulation, and fertility signs, all in one place.’
In 2016, Consumer Reports found that it was possible to access Glow user’s data and comments about their sex lives, history of miscarriages, abortions and more, because of a privacy loophole related to the way the app allowed couples to link their accounts and share data. In 2020, Glow agreed to pay a fine of $250,000 after an investigation by California’s Attorney General, which accused the company of failing to ‘adequately safeguard [users’] health information,’ and ‘allowed access to user’s information without the user’s consent.’
Ref: techcrunch
MediaDownloader.net -> Free Online Video Downloader, Download Any Video From YouTube, VK, Vimeo, Twitter, Twitch, Tumblr, Tiktok, Telegram, TED, Streamable, Soundcloud, Snapchat, Share, Rumble, Reddit, PuhuTV, Pinterest, Periscope, Ok.ru, MxTakatak, Mixcloud, Mashable, LinkedIn, Likee, Kwai, Izlesene, Instagram, Imgur, IMDB, Ifunny, Gaana, Flickr, Febspot, Facebook, ESPN, Douyin, Dailymotion, Buzzfeed, BluTV, Blogger, Bitchute, Bilibili, Bandcamp, Akıllı, 9GAG