Consumer Reports Labs tested Glow, a very popular menstrual cycle/fertility-tracking app, and found that the app's designers had made a number of fundamental errors in the security and privacy design of the app, which would make it easy for stalkers or griefers to take over the app, change users' passwords, spy on them, steal their identities, and access extremely intimate data about the millions of women and their partners who use the app.
After being alerted to these problems, Glow fixed the app and re-released it. Consumer Reports has verified that the app's known major problems have been fixed.
This is the first cybersecurity audit that Consumer Reports has published, and the beginning of a wider project they're commencing. The mistakes that CR's lab found are extremely grave, and the result of very poor judgment on the part of the app's vendor. The vendor is funded by a VC whose mission is to "search relentlessly for opportunities that create value by leveraging data," which is a pretty investment strategy.
The companies backed by data-hungry VCs will perforce design their products to extract as much data as possible from their users, deploying the full suite of behavioral economics tricks to induce users to disclose more information than they would otherwise.
In addition, most venture-backed companies have six months or a year's worth of runway, meaning that every dollar they spend on security engineering is a dollar they can't spend keeping the lights on while they try to raise another round, or attain profitability, or sell the company. If they fail to do one of those three things, it won't matter if the user-date they've collected breaches, because there won't be any company left to sue. If they do manage to survive their six-month timeline, they can fix it then (or maybe fob the problem off on some googleish giant that's acquired them).
So there's a lot more of this waiting around -- companies with a dozen employees and three million users, companies amassing as much data as they can as part of a speculative bet on being able to monetize it, companies who face no penalty for shorting on security and who hasten their own demise if they divert their stretched resources to protecting user data.
It's wonderful and important that Consumer Reports is starting to work on this, though they have their work cut out for them (and then some).
The ability to link accounts opened the way to the first vulnerability we found. It was a startling one, which could have been discovered even by casual Glow users. (To evaluate the Glow app, Consumer Reports engineers set up a number of test accounts; we didn’t tamper with accounts or passwords belonging to real users.)
Let’s say a woman named Cathe has been using Glow for awhile. She and her husband, Joe, are hoping to conceive a child, and Cathe decides to share her health data with him. Joe downloads the app, opens his own account with Glow, and sends a request to Cathe asking to link their two accounts. Once that’s accomplished, they can see each other’s data and Joe get alerts such as “Cathe is ovulating!”
So, what’s the problem?
We discovered that once Joe sent the request to Cathe, their accounts were linked and he could see much of her data—without Cathe having to do anything. She received an email saying that Joe had made the request, but it didn’t matter if that email got stuck in her spam folder, or if she simply never opened it. She did not have to acknowledge or accept the invitation.
As long as Cathe’s account wasn’t already linked with another one, the first person who invited her instantly gained access to her data.
Glow Pregnancy App Exposed Women to Privacy Threats, Consumer Reports Finds [Jerry Beilinson/Consumer Reports]