In a recent security breach, personal data belonging to approximately 25 million users of the fertility tracking app Glow was exposed due to a bug in its online forum, according to findings by security researcher Ovi Liber.
The bug, discovered in Glow's developer API, inadvertently revealed sensitive user information including first and last names, self-reported age groups, location data, unique user identifiers within Glow's platform, and user-uploaded images. Liber, who uncovered the vulnerability, reported it to Glow in October, prompting the company to swiftly address the issue approximately a week later.
Typically, APIs are intended to facilitate communication between internet-connected systems, but are often restricted to internal use or trusted third-party developers. However, in Glow's case, the API was accessible to anyone, as Liber, who is not a developer, was able to exploit the vulnerability.
In a blog post detailing his findings, Liber emphasized that the vulnerability affected all 25 million users of Glow. Describing the ease with which the data could be accessed, Liber explained, "I basically had my Android device hooked up with [network analysis tool] Burp and poked around on the forum and saw that API call returning the user data."
Katie Paxton-Fear, API Security Researcher at Traceable AI, commented on the nature of the vulnerability, stating, "This is a classic API vulnerability, often when developers make APIs they assume that it will only be used internally and do not always have the same level of quality control. The developers here assumed that only the mobile app would have access, but in fact that API was publicly available, which is normal for mobile apps. The problem occurred when the app didn’t check that the data belonged to that user before returning it. Often this is the case when engineers assume only the way to see that data is via the mobile app and if a user isn’t logged into the mobile app they cannot see that data, but any attacker only needs to see one example before understanding exactly how to exploit it. This is why it’s so important that even the security of APIs that people assume are internal are secured to the same standard as external applications."
Despite the potential sensitivity of the leaked data, Glow has declined to comment on the record regarding the bug and its impact. However, Eva Galperin, the cybersecurity director at the Electronic Frontier Foundation, emphasized the significance of Liber's research, stating, "Even without getting into the question of what is and is not [private identifiable information] under which legal regime, the people who use Glow might seriously reconsider their use if they knew that it leaked this data about them."
This isn't the first time Glow has faced privacy concerns. In 2016, Consumer Reports highlighted a privacy loophole in the app, and in 2020, Glow was fined $250,000 by California’s Attorney General for failing to adequately safeguard users’ health information.
Glow, launched in 2013, positions itself as "the most comprehensive period tracker and fertility app in the world," offering users features to track their menstrual cycle, ovulation, and fertility signs. However, this recent breach underscores the importance of robust data security measures, especially in apps handling sensitive personal information.