Story 2016-07-30 1NZKC Pregnancy-tracking app exposes sensitive personal information

Pregnancy-tracking app exposes sensitive personal information

by
in mobile on (#1NZKC)
Consumer Reports Labs tested Glow, a very popular menstrual cycle/fertility-tracking app, and found that the app's designers had made a number of fundamental errors in the security and privacy design of the app, which would make it easy for stalkers or griefers to take over the app, change users' passwords, spy on them, steal their identities, and access extremely intimate data about the millions of women and their partners who use the app.

According to Consumer Reports, "The ability to link accounts opened the way to the first vulnerability we found. It was a startling one. ... We discovered that as soon as a user sent the request to another user, their accounts were linked and the requesting user could see much of the other account's data— without the other account having to do anything.

The owner of the second account would receive an email saying that another user had made the request, but it didn’t matter if that email got stuck in a spam folder or was never opened. The second user did not have to acknowledge or accept the invitation. As long as second account wasn’t already linked with another one, the first person who requested linking of the account instantly gained access to the account's data.

Even worse, using the app-security software researchers were able to change any user’s password without knowing the old password. The request for the old password was just for show, like a door lock with the deadbolt missing. It gave the appearance of security, but it didn’t offer real protection against a malicious user.
Reply 2 comments

if only root was available to all users (Score: 0)

by Anonymous Coward on 2016-07-30 16:08 (#1NZP0)

seriously, how long will it be before someone sues a phone provider due to this? phone users do not control the computer they purchased. at best they have User level access. install a firewall? nope. configure setting to prevent unauthorised use if hardware, such as the camera while the phone is locked? nope. do we need someone to die for android and iphone to open these consumer devices to consumer control?

Re: if only root was available to all users (Score: 1)

by genericuser@pipedot.org on 2016-07-31 14:16 (#1P1XN)

What are you talking about?? It's not the phone provider at fault here, it's the extremely poor practices of the clowns that coded the app. For example, "The request for the old password was just for show, like a door lock with the deadbolt missing. It gave the appearance of security, but it didn’t offer real protection against a malicious user".

That's not the phone provider's fault, that's the programmers sucking wind at what they do.