According to the report, investigators were able to access extremely sensitive, personal information about users’ sex lives, miscarriage histories, abortions, and more — all by way of a privacy loophole related to the way Glow lets couples link accounts and share data.
Moreover,the Pregnancy Glow community forums somehow contained personal data like users’ names, email addresses, locations, birthdays, and other health details entered into the app. The Consumer Reports team said that this data was easy to uncover using a free, downloadable security testing app, and was then parsed using an online calculator.
As Consumer Reports noted, “The problem with this is that Glow made it a little too easy to connect accounts: a malicious user could add him- or herself to an account without the [account holder] granting them permission to do so, and have access to some very personal data without her even knowing.”
Following TechCrunch’s initial report of these security flaws, Glow investor and executive chairman Max Levchin took to Twitter to ensure nervous parties that the Glow team had “corrected the potential issues,” and further insisted that there was “no evidence to suggest that any @GlowHQ data was compromised.” The Glow team further noted that it had contacted all its users to reset their passwords, update the app, and re-link the app with their partner’s account.
@DigitalTrends we corrected the potential issues & there is no evidence to suggest that any @GlowHQ user data was compromised.
— Max Levchin (@mlevchin) August 5, 2016
“We appreciate Consumer Reports bringing to our attention some possible vulnerabilities within our app. The industry only gets stronger with white hats who are looking to protect consumers. Once informed, our team immediately worked to address and correct the potential issues and have since released an updated version of the app,” said Jennifer Tye, Glow’s head of U.S. operations. “We also informed users via email to consider changing their password as an extra precaution.”
Tye concluded, “Of the more than 4 million users across our apps, far less than 0.15 percent of our users could have potentially been impacted, but there is no evidence to suggest that any Glow data has been compromised.”
That said, some might be concerned that Glow was reacting to these reports, rather than proactively looking for potential vulnerabilities themselves.
“We were troubled by the nature and depth of the security problems we discovered,” said Maria Rerecich, Consumer Reports’ director of electronics testing, who oversaw the analysis. “But we were pleased to see how quickly Glow responded to our concerns.”
Article originally written by Lulu Chang. Updated on 8-8-2016 by Malarie Gokey with a response from Glow.
