The fertility-tracking app Glow collects detailed information about users’ bodies and sex lives, and one thing that may not occur to users is the possibility that their data could be compromised. No, not just if someone swiped their phone or broke into their account: our colleagues down the hall at Consumer Reports discovered some serious security flaws in the app, which Glow has now fixed.
People who are very interested in privacy and technology and users of Glow will want to read the whole rundown of what was wrong and how the team discovered it, but here’s a basic overview of the three security problems, which have now been fixed.
Open invitation: Women using the app to avoid or achieve pregnancy might find it useful to let their partners in to view their accounts. The problem with this is that Glow made it a little too easy to connect accounts: a malicious user could add him- or herself to an account without the woman granting them permission to do so, and have access to some very personal data without her even knowing.
TMI on the forums: Posts on the app’s forums had more data embedded in them than displayed to users, which included the user’s full name, birthdate, e-mail address, location, and some recent information from her health log.
Consumer Reports was easily able to access this information using a computer as a wireless access point, meaning that any malicious person who sets up a WiFi hotspot to gobble up unwitting users’ data could scoop up this data, which is enough to commit identity theft or harassment.
Changing a user’s password: If someone wants to seize control of another person’s fertility-tracking account, it’s easy to do: a malicious password-changer simply has to take the code generated when changing the password on a dummy account, then fill in the target’s details.
While the site asks for an account’s old password when sending in an honest password change request, you don’t actually need that old password to change the new ones. It would be possible to easily change passwords for multiple users this way.
Glow users should have received a notification telling them to update the app and change their passwords, and to unlink their account from any partner accounts that are connected, then reconnect them.
A company representative told Consumer Reports that it doesn’t know of any data or accounts that were compromised in this way, and Glow didn’t know about it until Consumer Reports alerted it to the problem.
Just keep this in mind: what are you typing into your favorite apps, and how do you know that it’s secure?
Glow Pregnancy App Exposed Women to Privacy Threats, Consumer Reports Finds [Consumer Reports]