Topics
tardy
AI
Amazon
Image Credits:YouTube/Hello Doctor SA(opens in a new window)
Apps
Biotech & Health
Climate
Image Credits:YouTube/Hello Doctor SA(opens in a new window)
Cloud Computing
Department of Commerce
Crypto
Enterprise
EVs
Fintech
Fundraising
convenience
gage
Government & Policy
Hardware
Layoffs
Media & Entertainment
Meta
Microsoft
privateness
Robotics
security measure
Social
Space
startup
TikTok
Transportation
speculation
More from TechCrunch
Events
Startup Battlefield
StrictlyVC
Podcasts
Videos
Partner Content
TechCrunch Brand Studio
Crunchboard
Contact Us
A bug in the online forum for the fertility tracking app Glow queer the personal data of around 25 million users , according to a security researcher .
The bug break users ’ first and last names , self - account age group ( such as children age 13 - 18 and adults aged 19 - 25 , and aged 26 and older ) , the user ’s ego - described localisation , the app ’s unique drug user identifier ( within Glow ’s software platform ) and any exploiter - uploaded images , such as profile photograph .
Security research worker Ovi Liber evidence TechCrunch that he find out user data leaking from Glow ’s developer API . Liber reported the hemipteran to Glow in October , and said Glow fixed the leak about a workweek later .
An API allows two or more cyberspace - connected systems to communicate with each other , such as a user ’s app and the app ’s back - death servers . APIs can be public , but company with sensitive information typically restrict access to its own employees or trust third - party developers .
Liber , however , said that Glow ’s API was accessible to anyone , as he is not a developer .
An unnamed Glow interpreter confirmed to TechCrunch that the bug is bushel , but Glow declined to hash out the hemipterous insect and its impingement on the phonograph recording or provide the congressman ’s name . As such , TechCrunch is not publish Glow ’s response .
In a blog post print on Monday , Liber wrote that the exposure he find out affected all of Glow ’s 25 million user . Liber tell TechCrunch that accessing the datum was relatively easy .
Join us at TechCrunch Sessions: AI
Exhibit at TechCrunch Sessions: AI
“ I essentially had my Android equipment hooked up with [ connection depth psychology tool ] Burp and poked around on the assembly and see that API call returning the substance abuser data . That ’s where I observe the IDOR , ” Liber aver , referring to a type of exposure where a host lacks the proper checks to ensure admission is only granted to authorize substance abuser or developer . “ Where they say it should be available to devs only , [ it ’s ] not on-key , it ’s a public API end point that returns data for each user — simply attacker demand to jazz how the API call is made . ”
While the leaking data might not seem extremely sensitive , a digital security expert believe Glow substance abuser deserve to get laid that this data is accessible .
“ I mean that is a pretty large deal , ” Eva Galperin , the cybersecurity director at the digital rights non - profit Electronic Frontier Foundation , told TechCrunch , referring to Liber ’s research . “ Even without getting into the question of what is and is not [ private identifiable information ] under which sound regime , the citizenry who expend Glow might seriously reconsider their use if they knew that it leaked this information about them . ”
Glow , which launched in 2013,describes itselfas “ the most comprehensive full point tracker and fertility app in the world , ” which people can practice to track their “ catamenial cycle , ovulation , and fertility sign , all in one office . ”
