Pregnancy-tracking app exposes sensitive personal information

by
in mobile on (#1NZKC)
Consumer Reports Labs tested Glow, a very popular menstrual cycle/fertility-tracking app, and found that the app's designers had made a number of fundamental errors in the security and privacy design of the app, which would make it easy for stalkers or griefers to take over the app, change users' passwords, spy on them, steal their identities, and access extremely intimate data about the millions of women and their partners who use the app.

According to Consumer Reports, "The ability to link accounts opened the way to the first vulnerability we found. It was a startling one. ... We discovered that as soon as a user sent the request to another user, their accounts were linked and the requesting user could see much of the other account's data- without the other account having to do anything.

The owner of the second account would receive an email saying that another user had made the request, but it didn't matter if that email got stuck in a spam folder or was never opened. The second user did not have to acknowledge or accept the invitation. As long as second account wasn't already linked with another one, the first person who requested linking of the account instantly gained access to the account's data.

Even worse, using the app-security software researchers were able to change any user's password without knowing the old password. The request for the old password was just for show, like a door lock with the deadbolt missing. It gave the appearance of security, but it didn't offer real protection against a malicious user.

if only root was available to all users (Score: 0)

by Anonymous Coward on 2016-07-30 16:08 (#1NZP0)

seriously, how long will it be before someone sues a phone provider due to this? phone users do not control the computer they purchased. at best they have User level access. install a firewall? nope. configure setting to prevent unauthorised use if hardware, such as the camera while the phone is locked? nope. do we need someone to die for android and iphone to open these consumer devices to consumer control?
Post Comment
Subject
Comment
Captcha
The number of body parts in the list heart, ankle, pub, ear, toe and brain is?