Fertility tracker app Glow's bug is finally fixed. The 3-in-1 application, which offers a fertility calendar, period tracker, and ovulation calculator, recently exposed millions of personal user data because of the bug.
It was first revealed by security expert Ovi Liber in October 2023. He said that a week later, the security vulnerability was fixed by the company Glow Inc.
Ovi Liber said that he was able to know that the app's API was accessible to anyone since he was also able to access it even though he's not a developer of the health application.
Fertility Tracker App Glow Data Leak Update
According to Tech Crunch's latest report, the recent bug exposed all 25 million users of Glow. Among the details that the fertility tracker app's bug leaked are the following:
- First and last names
- Self-reported age groups
- Self-described locations
- The app's unique identifier
- User-uploaded images, such as profile pictures
"I basically had my Android device hooked up with [network analysis tool] Burp and poked around on the forum and saw that API call returning the user data. That's where I found the IDOR," said Ovi Liber.
A Glow Inc. representative also confirmed that the bug was already resolved. However, the official didn't specify the seriousness of the security vulnerability or its impact on the app's user record.
Since personal details were leaked, many experts said that the bug was a big deal although it was already fixed. Eva Galperin, the Electronic Frontier Foundation's cybersecurity director, said that Glow users might start considering looking for other alternatives.
Read Also : DNA Analyzing Firm 23andMe Suffers From Massive Data Breach-Exposing Information of Over 6 Million Users!
Glow In Faced Lawsuit Over Security Bug
In his official blog post, Ovi Liber said that Glow Inc. was sued by the state of California because of the serious data leak.
"The California State then took the company to court and fined them $250,000 for this negligence," said the cybersecurity expert.
In the lawsuit, California state officials said that when patients visit doctors or healthcare providers, their sensitive information is protected.
They added that this should also be the case for any healthcare apps available online that gather users' sensitive details.
"Today's settlement is a wake-up call not just for Glow, Inc., but for every app maker that handles sensitive private data," said the state of California in its lawsuit, as quoted by Ovi Liber.
The Californian attorney-general also disclosed the allegations against Glow Inc., such as the following:
- Additional security problems with the app's password change function could have allowed third parties to reset user account passwords and access information in those accounts without user consent.
- Failed to adequately safeguard health information. Allowed access to the user's information without the user's consent.