Consumer Reports recently tested the security and privacy features on a popular women’s health and fertility app called Glow. It’s designed to help women track their monthly cycles and get pregnant. The app asks for very personal information, like how you slept, whether you use birth control and even if you’re constipated.
“Consumer Reports discovered that people with little to no hacking skills could link their Glow account to another user’s account without the other person knowing it. We investigated this using our own test accounts,” explained Maria Rerecich, the head of Consumer Reports' Electronics Testing.
“So with just the email address on the account, he was able to invite me. I didn’t have to accept the invitation and he can see the personal information that I entered in the app,” Rerecich added.
Then using common security software, Consumer Reports could see the personal data of any user who posted a message in the app’s forums -- finding the woman's email, her first name, last name and location.
In another test, Consumer Reports found it was fairly easy to change a user’s password and take over their account.
“So he changed my password. I could not get into my account. Because I didn’t know the password. He could get into my account and do anything he wanted with that, have access to all my data, pretend to be me,” said Rerecich.
In response, Glow has since fixed these security issues and released this statement:
“We appreciate Consumer Reports bringing to our attention some possible vulnerabilities within our app. The industry only gets stronger with white hats who are looking to protect consumers. Once informed, our team immediately worked to address and correct the potential issues and have since released an updated version of the app. We also informed users via email to consider changing their password as an extra precaution. Of the more than 4 million users across our apps, far less than 0.15% of our users could have potentially been impacted, but there is no evidence to suggest that any Glow data has been compromised.” -- Jennifer Tye, Glow's Head of US Operations
You can read more from Consumer Reports' findings here: ConsumerReports.org