Tests expose security flaws in popular pregnancy app
Posted September 21, 2016
There's an app for almost everything, including one that claims to help women get pregnant.
But Consumer Reports found some serious security flaws with Glow, which allows users to share some pretty personal information.
Glow is designed to help women track their menstrual cycles as they work to get pregnant. It asks personal questions of its users, questions such as whether or not they're using birth control or dealing with constipation.
Consumer Reports tested Glow's security and privacy features, and the results raised a red flag.
"We discovered that people with little to no hacking skills could link their Glow account to another user's account without the other person knowing it," Consumer Reports' Maria Rerecich said. "We investigated this using our own test accounts."
Rerecich said all testers needed was access to an email address.
"I didn't have to accept the invitation, and he can see the person information I entered in the app," she said.
Using other common security software, Consumer Reports could see the personal data of any user who posted a message in the app's forums.
In another test, Consumer Reports found that it was fairly easy to change a user's password and take control of their account.
"He changed my password. I could not get into my account because I didn't know the password," Rerecich said. "He could get into my account and do anything he wanted with that, have access to all my data and pretend to be me."
As a result of Consumer Reports' findings, Glow has since fixed the security issues.
Glow officials said there is no evidence to suggest that any data has been compromised.
In addition, Glow says it contacted all of its users and urged them to change their passwords, update their app and relink with their partner's account.
Another thing to remember, Consumer Reports says, is that data collected by health apps is not protected by HIPPA - the Health Insurance Portability and Accountability Act.
There are no laws preventing apps from selling personal information to marketers.