Fertility tracker Glow fixes bug that exposed users’ personal data


A bug in the online forum of fertility tracking app Glow exposed the personal data of around 25 million users, according to a security researcher.

The bug exposed users’ first and last names, self-reported age range (such as children ages 13-18 and adults ages 19-25 and ages 26 and older), location self-described by the user, the application’s unique user ID (in Glow’s software platform), and any images uploaded by users, such as profile photos.

Security researcher Ovi Liber told TechCrunch that he discovered user data leaks from Glow’s developer API. Liber reported the bug to Glow in October and said Glow fixed the leak about a week later.

An API allows two or more Internet-connected systems to communicate with each other, such as a user’s application and the application’s backend servers. APIs can be public, but companies with sensitive data typically restrict access to their own employees or trusted third-party developers.

Liber, however, said that Glow’s API is accessible to everyone, as he is not a developer.

An anonymous Glow representative confirmed to TechCrunch that the bug is fixed, but Glow declined to discuss the bug and its impact on the filing or provide the representative’s name. As such, TechCrunch is not printing Glow’s response.

In a blog post published Monday, Liber wrote that the vulnerability he found affected all of Glow’s 25 million users. Liber told TechCrunch that accessing the data was relatively simple.

Contact us

Do you have more information on similar flaws in fertility tracking apps? We would like to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email. lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.

“Basically my Android device was connected to [network analysis tool] Burp and poke around the forum and see this API call returning user data. That’s where I found IDOR,” Liber said, referring to a type of vulnerability in which a server does not have the proper controls to ensure that access is only granted to users or authorized developers. “Where they say it should only be available to developers, [it’s] This is not true, this is a public API endpoint that returns data for each user: the attacker just needs to know how the API call is made.

Even though the leaked data doesn’t appear to be extremely sensitive, one digital security expert says Glow users deserve to know that this information is accessible.

“I think it’s a big problem,” Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, a digital rights nonprofit, told TechCrunch, referring to Liber’s research. “Even without addressing the question of what is and is not [private identifiable information] under what legal regime people who use Glow could seriously reconsider their use if they knew that this data concerning them had been disclosed.

Glow, launched in 2013, describes himself as “the world’s most comprehensive period tracking and fertility app,” which people can use to track their “menstrual cycle, ovulation, and fertility signs, all in one place.”

In 2016, Consumer Reports found that it was possible to access Glow users’ data and comments about their sex lives, history of miscarriages, abortions and more, due to a privacy breach related to how the app allowed couples to link their accounts and share data. In 2020, Glow agreed to pay a $250,000 fine after an investigation by the California Attorney General, who accused the company of failing to “properly protect” [users’] health information” and “allowed access to user information without user consent.”


Leave a Comment

Your email address will not be published. Required fields are marked *