Pregnancy-tracking app exposes sensitive personal information
Consumer Reports Labs tested Glow, a very popular menstrual cycle/fertility-tracking app, and found that the app's designers had made a number of fundamental errors in the security and privacy design of the app, which would make it easy for stalkers or griefers to take over the app, change users' passwords, spy on them, steal their identities, and access extremely intimate data about the millions of women and their partners who use the app.
According to Consumer Reports, "The ability to link accounts opened the way to the first vulnerability we found. It was a startling one. ... We discovered that as soon as a user sent the request to another user, their accounts were linked and the requesting user could see much of the other account's data— without the other account having to do anything. The second account would receive an email saying that another user had made the request, but it didn’t matter if that email got stuck in a spam folder or if it was never opened. The second user did not have to acknowledge or accept the invitation. As long as second account wasn’t already linked with another one, the first person who invited the account instantly gained access to the second account's data.
According to Consumer Reports, "The ability to link accounts opened the way to the first vulnerability we found. It was a startling one. ... We discovered that as soon as a user sent the request to another user, their accounts were linked and the requesting user could see much of the other account's data— without the other account having to do anything. The second account would receive an email saying that another user had made the request, but it didn’t matter if that email got stuck in a spam folder or if it was never opened. The second user did not have to acknowledge or accept the invitation. As long as second account wasn’t already linked with another one, the first person who invited the account instantly gained access to the second account's data.