Glow is a mobile app designed to help women track their menstrual cycles and fertility. Like similar apps, it asks users to record the onset of their periods, along with details such as their weight and medications. Glow also asks for intimate physical details, including the appearance of their cervical mucous and the position of their cervix (the app has instructions for determining these characteristics), any history of abortions, whether they’ve experienced anything from diarrhea to low sex drive, their mood, and more.
Recently, Consumer Reports tested Glow for security and privacy features as part of a broader project, and found surprising vulnerabilities. One security flaw might have let someone with no hacking skills at all access a woman’s personal data. Other vulnerabilities would have allowed an attacker with rudimentary software tools to collect email addresses, change passwords, and access personal information from participants in Glow’s community forums, where people discuss their sex lives and health concerns.
We concluded that it would be easy for stalkers, online bullies, or identity thieves to use the information they gathered to harm Glow’s users. In July, we shared our concerns with Glow, Inc., the company that makes the app. The executive we spoke with was not aware of the potential vulnerabilities, and the company moved quickly to correct them.
“We were troubled by the nature and depth of the security problems we discovered,” says Maria Rerecich, Consumer Reports director of electronics testing who oversaw the analysis. “But we were pleased to see how quickly Glow responded to our concerns.”
Last week, an updated version of the app went live in Apple’s App Store and the Google Play Store, and Glow also made changes to its internal systems. We’ve evaluated the app again and confirmed that the major security flaws, which are described below, have been addressed. On Wednesday, Glow emailed users telling them about the fixes. The app we tested was one of four developed by the company; the other three are Eve by Glow, Glow Nurture, and Glow Baby. The company says it has 4 million users in total.
“We appreciate Consumer Reports bringing to our attention some possible vulnerabilities within our app,” Jennifer Tye, head of U.S. operations, said in a statement. “Once informed, our team immediately worked to address and correct the potential issues and have since released an updated version of the app. We also informed users via email to consider changing their password as an extra precaution. ... There is no evidence to suggest that any Glow data has been compromised.”
Consumer Reports joins Glow, Inc. in urging all users to update the app and change their password. Glow lets users link their accounts with a partner, so that he or she can share health information. Users who take advantage of that feature should disconnect and then reconnect with their partners.
Period Tracking in the Digital Age
Millions of women use period-tracking and fertility-awareness apps.
“I would say that women in their 20s are definitely using an app, even if they are taking oral contraceptives,” says Jo Zasloff, a certified nurse-midwife who has a private practice in New York City. “When they come in for their annual checkups, one of the first questions you ask is, ‘When was your last menstrual period?’ And the way they all know that is by looking at their app.”
Zasloff and other women’s healthcare providers agreed that the apps are also widely used by older women of childbearing age, and that they can be useful tools.
“There is good evidence that women who track their cycles in almost any way have a greater sense of autonomy which often goes with improved self-worth,” says Jerilynn C. Prior, a professor of endocrinology at the University of British Columbia. However, she adds, “I think many of the young women who are using online apps for tracking cycles have a curious sense of invincibility with regard to online security.”
Glow was developed by HVF, a tech incubator started by Max Levchin, one of the cofounders of PayPal. The letters stand for “Hard Valuable Fun.” The group outlines its mission on the company website: “...data is becoming our most plentiful, and most under-exploited commodity. … HVF searches relentlessly for opportunities that create value by leveraging data. This takes form of seed and early stage investing, rapid prototyping of internally- generated ideas (some of which develop into companies funded by HVF), getting together with the brightest minds in the many industries that will benefit from the data explosion, looking for (and at) interesting data sets and sources, and just geeking out on data.”
Vulnerability 1: Accounts linked without permission
Glow users can link the app to other health trackers, including Fitbit and MyFitness Pal, and to Facebook. Men can also record details of their physical health through the app—it asks about everything from time spent in saunas to masturbation sessions. Sexual partners can link their accounts whether they are trying to conceive a child or simply want to monitor each other’s wellness.
The ability to link accounts opened the way to the first vulnerability we found. It was a startling one, which could have been discovered even by casual Glow users. (To evaluate the Glow app, Consumer Reports engineers set up a number of test accounts; we didn’t tamper with accounts or passwords belonging to real users.)
Let’s say a woman named Cathe has been using Glow for awhile. She and her husband, Joe, are hoping to conceive a child, and Cathe decides to share her health data with him. Joe downloads the app, opens his own account with Glow, and sends a request to Cathe asking to link their two accounts. Once that’s accomplished, they can see each other’s data and Joe get alerts such as “Cathe is ovulating!”
So, what’s the problem?
We discovered that once Joe sent the request to Cathe, their accounts were linked and he could see much of her data—without Cathe having to do anything. She received an email saying that Joe had made the request, but it didn’t matter if that email got stuck in her spam folder, or if she simply never opened it. She did not have to acknowledge or accept the invitation.
As long as Cathe’s account wasn’t already linked with another one, the first person who invited her instantly gained access to her data. (Certain details, including weight, remained hidden.)
That means that until this week anyone—loving partner, obsessive ex-husband, or anonymous creep—could link his account to any Glow user’s, if he knew the woman’s email address.
Vulnerability 2: Personal data transmitted in forums
Glow has active community forums, in which women (and some men) discuss a wide range of topics—everything from the emotional and physical pain of a miscarriage to a user’s favorite sex positions. You can see the writer’s user name and when her comment was posted. The format would be familiar to anyone who’s used the social functions of other apps.
However, we learned that what you saw was just a portion of the data being sent to your phone.
At Consumer Reports, we used a commonplace tool for testing app security, which can be downloaded free to a laptop. Without going into too many details, it was easy to get our phones or tablets to use the laptop as their WiFi access point to the Web. The phone connected to the laptop, and the laptop connected to the router and then to the Internet. Now, all of the data going from the phone to Glow’s servers, or back from Glow’s servers to the phone, was read by the security software. It took just a few minutes, and minimal technical expertise, to set this up.
When we clicked on a forum post and consulted our testing software, we saw dozens of lines of text, which included the post writer’s full name, her email address, her rough location, and a number of details from her health log. We saw her birthdate, expressed as something called a UNIX timestamp, which is easy to convert into a regular date using free online calculators. We also saw her true user ID, which was a long string of numbers. (Every Glow user name gets linked to such a number, which she never normally sees.)
That information could have been enough to open a woman to harassment or identity theft, but we also discovered an additional, and disturbing, vulnerability: During our testing, it was easy to change a user’s Glow password, taking over her account.
Vulnerability 3: Passwords changed by attackers
Like other mobile apps, Glow allows users to change their passwords. On the iPhone version, you go into Settings, tap on “Change password,” and then get a pop-up screen that asks you to enter your old password along with the new password. So far, so run-of-the-mill.
However, using the app-security software on our lab laptop, we were able to change any user’s password without knowing the old password.
From the user’s point of view, the app was acting like many others, but from a programming point of view, the request for the old password was just for show, like a door lock with the deadbolt missing. It gave the appearance of security, but it didn’t offer real protection against the bad guys.
First, we used the normal app interface on our phone to change the password on a test account. On the laptop, we could see the short block of computer code, or API, that was being sent out from the phone to make that change on the company’s servers. As expected, the code was transmitting our user ID, email address, and the old password—but we discovered that the old password wasn’t actually being checked by Glow’s corporate servers. It didn’t matter what string of characters we entered; the new password was always accepted.
The next step was trivial. We copied the code, replaced our user ID and email address with another person’s information, added a new password, and sent the package along to Glow headquarters. We could now log in as that user, and gain access to all of her data.
Making the situation even worse, it was easy to figure out additional user IDs. Many of these numbers appear to be assigned sequentially—if one number ended in the digit “3,” there was another account with the identical number but ending in 4, and a third one ending in 5. If a hacker knew one user ID, he could have taken over that account, then bumped the number up by one digit, and steadily changed the passwords on additional accounts. Unless they logged out and then tried to log back in, users may never have discovered a problem.
Consumer Reports found a number of other problems with the Glow app that we communicated to the app developers. These are being addressed, according to the company. To cite just one more example, a user who had a problem with the app could click a button to send in a debug log, which would be addressed by software developers. Those logs contained personal information that, in our opinion, should be invisible to administrators. The company has now removed that functionality from the app.
Glow is one of hundreds of apps focused on reproductive health, and healthcare providers we spoke with generally applauded such products for helping women track their periods and develop what one researcher called “body literacy.” They also may lead to public health benefits, when aggregated data is available for study. However, users should realize that the information collected isn’t covered by the HIPAA laws that govern medical records held by doctors and hospitals. No laws prevent the information from being sold to marketers. And the apps aren’t evaluated for either security or the accuracy of the information they impart.
These issues concern Nathaniel DeNicola, an obstetrician-gynecologist who studies social media at the University of Pennsylvania’s Social Media and Health Innovation Lab.
“There’s not currently a regulatory body in our field or in medicine or in government that vets apps the way they do medical devices and drugs,” he says. And yet such products can affect women’s health. “Doctors are looking for guidance in this area—there’s no way a doctor can know about any percentage of the apps on the market.”
Around the country in medical offices, it appears that many women armed with smartphones are discussing fertility-awareness apps with their healthcare providers. Few, however, are bringing up security and privacy concerns.
“No patient has ever asked,” says Zasloff, the New York midwife. “In fact, I use one of these apps myself and it never even dawned on me.”
Copyright © 2005-2016 Consumers Union of U.S., Inc. No reproduction, in whole or in part, without written permission. Consumer Reports has no relationship with any advertisers on this site.