Pregnancy-tracking app exposes sensitive personal information

by
in mobile on (#1NZJJ)
Consumer Reports Labs tested Glow, a very popular menstrual cycle/fertility-tracking app, and found that the app's designers had made a number of fundamental errors in the security and privacy design of the app, which would make it easy for stalkers or griefers to take over the app, change users' passwords, spy on them, steal their identities, and access extremely intimate data about the millions of women and their partners who use the app.

According to Consumer Reports, "The ability to link accounts opened the way to the first vulnerability we found. It was a startling one. ... We discovered that as soon as a user sent the request to another user, their accounts were linked and the requesting user could see much of the other account's data— without the other account having to do anything. The second account would receive an email saying that another user had made the request, but it didn’t matter if that email got stuck in a spam folder or if it was never opened. The second user did not have to acknowledge or accept the invitation. As long as second account wasn’t already linked with another one, the first person who invited the account instantly gained access to the second account's data.

History


Deprecated: mb_convert_encoding(): Handling HTML entities via mbstring is deprecated; use htmlspecialchars, htmlentities, or mb_encode_numericentity/mb_decode_numericentity instead in /var/pipedot/include/diff.php on line 25

Deprecated: Creation of dynamic property FineDiff::$granularityStack is deprecated in /var/pipedot/lib/finediff/finediff.php on line 217

Deprecated: Creation of dynamic property FineDiff::$edits is deprecated in /var/pipedot/lib/finediff/finediff.php on line 218

Deprecated: Creation of dynamic property FineDiff::$from_text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 219

Deprecated: Creation of dynamic property FineDiff::$last_edit is deprecated in /var/pipedot/lib/finediff/finediff.php on line 372

Deprecated: Creation of dynamic property FineDiff::$stackpointer is deprecated in /var/pipedot/lib/finediff/finediff.php on line 373

Deprecated: Creation of dynamic property FineDiff::$from_offset is deprecated in /var/pipedot/lib/finediff/finediff.php on line 375

Deprecated: Creation of dynamic property FineDiffReplaceOp::$fromLen is deprecated in /var/pipedot/lib/finediff/finediff.php on line 126

Deprecated: Creation of dynamic property FineDiffReplaceOp::$text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 127

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155

Deprecated: Creation of dynamic property FineDiffReplaceOp::$fromLen is deprecated in /var/pipedot/lib/finediff/finediff.php on line 126

Deprecated: Creation of dynamic property FineDiffReplaceOp::$text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 127

Deprecated: Creation of dynamic property FineDiffReplaceOp::$fromLen is deprecated in /var/pipedot/lib/finediff/finediff.php on line 126

Deprecated: Creation of dynamic property FineDiffReplaceOp::$text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 127

Deprecated: Creation of dynamic property FineDiffReplaceOp::$fromLen is deprecated in /var/pipedot/lib/finediff/finediff.php on line 126

Deprecated: Creation of dynamic property FineDiffReplaceOp::$text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 127

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155

Deprecated: Creation of dynamic property FineDiffReplaceOp::$fromLen is deprecated in /var/pipedot/lib/finediff/finediff.php on line 126

Deprecated: Creation of dynamic property FineDiffReplaceOp::$text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 127

Deprecated: Creation of dynamic property FineDiffReplaceOp::$fromLen is deprecated in /var/pipedot/lib/finediff/finediff.php on line 126

Deprecated: Creation of dynamic property FineDiffReplaceOp::$text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 127

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155

Deprecated: Creation of dynamic property FineDiffInsertOp::$text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 104

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155

Deprecated: Creation of dynamic property FineDiffInsertOp::$text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 104

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155

Deprecated: Creation of dynamic property FineDiffDeleteOp::$fromLen is deprecated in /var/pipedot/lib/finediff/finediff.php on line 86

Deprecated: Creation of dynamic property FineDiffReplaceOp::$fromLen is deprecated in /var/pipedot/lib/finediff/finediff.php on line 126

Deprecated: Creation of dynamic property FineDiffReplaceOp::$text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 127

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155

Deprecated: Creation of dynamic property FineDiffReplaceOp::$fromLen is deprecated in /var/pipedot/lib/finediff/finediff.php on line 126

Deprecated: Creation of dynamic property FineDiffReplaceOp::$text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 127

Deprecated: Creation of dynamic property FineDiffReplaceOp::$fromLen is deprecated in /var/pipedot/lib/finediff/finediff.php on line 126

Deprecated: Creation of dynamic property FineDiffReplaceOp::$text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 127

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155

Deprecated: Creation of dynamic property FineDiffReplaceOp::$fromLen is deprecated in /var/pipedot/lib/finediff/finediff.php on line 126

Deprecated: Creation of dynamic property FineDiffReplaceOp::$text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 127

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155

Deprecated: Creation of dynamic property FineDiffInsertOp::$text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 104

Deprecated: Creation of dynamic property FineDiffInsertOp::$text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 104

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155

Deprecated: Creation of dynamic property FineDiffReplaceOp::$fromLen is deprecated in /var/pipedot/lib/finediff/finediff.php on line 126

Deprecated: Creation of dynamic property FineDiffReplaceOp::$text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 127

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155

Deprecated: Creation of dynamic property FineDiffInsertOp::$text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 104

Deprecated: Creation of dynamic property FineDiffDeleteOp::$fromLen is deprecated in /var/pipedot/lib/finediff/finediff.php on line 86

Deprecated: Creation of dynamic property FineDiffReplaceOp::$fromLen is deprecated in /var/pipedot/lib/finediff/finediff.php on line 126

Deprecated: Creation of dynamic property FineDiffReplaceOp::$text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 127

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155

Deprecated: Creation of dynamic property FineDiffReplaceOp::$fromLen is deprecated in /var/pipedot/lib/finediff/finediff.php on line 126

Deprecated: Creation of dynamic property FineDiffReplaceOp::$text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 127

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155

Deprecated: Creation of dynamic property FineDiffReplaceOp::$fromLen is deprecated in /var/pipedot/lib/finediff/finediff.php on line 126

Deprecated: Creation of dynamic property FineDiffReplaceOp::$text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 127

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155

Deprecated: Creation of dynamic property FineDiffInsertOp::$text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 104

Deprecated: Creation of dynamic property FineDiffReplaceOp::$fromLen is deprecated in /var/pipedot/lib/finediff/finediff.php on line 126

Deprecated: Creation of dynamic property FineDiffReplaceOp::$text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 127
2016-07-30 15:33
Pregnancy-tracking app exposes sensitive personal information
genericuser@pipedot.org
Consumer Reports Labs tested Glow, a very popular menstrual cycle/fertility-tracking app, and found that the app's designers had made a number of fundamental errors in the security and privacy design of the app, which would make it easy for stalkers or griefers to take over the app, change users' passwords, spy on them, steal their identities, and access extremely intimate data about the millions of women and their partners who use the app.

According to Consumer Reports, "The ability to link accounts opened the way to the first vulnerability we found. It was a startling one. ... We discovered that as soon as a user sent the request to another user, their accounts were linked and the requesting user could see much of the other account's data—- without the other account having to do anything.

The owner of the second account would receive an email saying that another user had made the request, but it didn’'t matter if that email got stuck in a spam folder or if it was never opened. The second user did not have to acknowledge or accept the invitation. As long as second account wasn’'t already linked with another one, the first person who invirequested linking of the account instantly gained access to the second account's data.

Even worse, using the app-security software researchers were able to change any user's password without knowing the old password. The request for the old password was just for show, like a door lock with the deadbolt missing. It gave the appearance of security, but it didn't offer real protection against a malicious user.
Reply 0 comments