Around 25 million users of the fertility tracking app Glow had their personal data exposed due to a bug in the online forum, according to a security researcher.
The bug revealed users’ first and last names, self-reported age group, self-described location, unique user identifier within Glow’s software platform, and any user-uploaded images.
Security researcher Ovi Liber reported the bug in Glow’s developer API, which resulted in the leak of user data. Glow fixed the leak about a week after being notified of the issue.
An API allows internet-connected systems to interact with each other, but Glow’s API was accessible to anyone, including non-developers like Liber.
A Glow representative confirmed that the bug is fixed, but declined to discuss the bug or its impact on record. Liber wrote in a blog post that the vulnerability he found affected all of Glow’s 25 million users.
Contact Us
Do you have more information about similar flaws in fertility-tracking apps? Contact us via secure channels to share your insights.
Liber described how accessing the data was relatively easy using an Android device and a network analysis tool. He found a type of vulnerability called IDOR, where a server lacks proper checks to ensure access is only granted to authorized users or developers.
Eva Galperin, a cybersecurity director, believes Glow users deserve to know that this information is accessible, despite not being extremely sensitive from a security standpoint.
Glow, which launched in 2013, allows users to track their menstrual cycle, ovulation, and fertility signs, but has faced previous privacy-related issues, including a $250,000 fine in 2020 for failing to safeguard users’ health information.
