Glow is a menstrual cycle and fertility tracking app. Jerry Beilinson, Consumer Reports:
Recently, Consumer Reports tested Glow for security and privacy features as part of a broader project, and found surprising vulnerabilities. One security flaw might have let someone with no hacking skills at all access a woman’s personal data. Other vulnerabilities would have allowed an attacker with rudimentary software tools to collect email addresses, change passwords, and access personal information from participants in Glow’s community forums, where people discuss their sex lives and health concerns.
We concluded that it would be easy for stalkers, online bullies, or identity thieves to use the information they gathered to harm Glow’s users. In July, we shared our concerns with Glow, Inc., the company that makes the app. The executive we spoke with was not aware of the potential vulnerabilities, and the company moved quickly to correct them.
This kind of thing is why last month’s introduction in Europe of a network security law is sorely needed in the United States. Glow reacted responsibly, and Consumer Reports did a good service by finding these faults, but it’s not enough. There’s no legal requirement for companies to disclose their security faults, nor are they mandated to test their apps or services prior to launch.
We’re now providing personal and sensitive information on a regular basis to apps and services. While it would be advisable for consumers to restrict the amount of data they’re providing and to be aware of the possible implications of a breach, users aren’t going to do that, nor should they be expected to. Their data can be transferred in unexpected ways, from the obviously illegal black hat hacker scenario, to a totally mundane corporate acquisition. Users’ data ought to be protected with far more concern than it currently is.