Consumer Reports Labs tested Glow, a pretty popular menstrual cycle/fertility-tracking app, and found that the app’s designers had gained a number of fundamental errors in the security and privacy design of the app, which would certainly make it straightforward for stalkers or griefers to take over the app, adjustment users’ passwords, spy on them, steal their identities, and access very intimate data concerning the millions of women and their partners that use the app.
After being alerted to these problems, Glow fixed the app and re-released it. Consumer Reports has actually verified that the app’s known serious troubles have actually been fixed.
This is the initial cybersecurity audit that Consumer Reports has actually published, and the start of a wider project they’re commencing. The mistakes that CR’s lab found are very grave, and the result of pretty inadequate judgment on the section of the app’s vendor. The vendor is funded by a VC whose mission is to “search relentlessly for opportunities that make value by leveraging data,” which is a quite investment strategy.
The companies backed by data-starving VCs will certainly perforce design their products to extract as much data as feasible from their users, deploying the full suite of behavioral economics tricks to induce users to disclose much more article compared to they would certainly otherwise.
In addition, most venture-backed companies have actually 6 months or a year’s worth of runway, meaning that every dollar they spend on security engineering is a dollar they can’t spend maintaining the lights on while they attempt to enhance an additional round, or attain profitability, or sell the company. If they fall short to do one of those three things, it won’t matter if the user-date they’ve collected breaches, since there won’t be any kind of company left to sue. If they do control to survive their six-month timeline, they can easily fix it after that (or maybe fob the problem off on some googleish giant that’s acquired them).
So there’s a lot much more of this waiting about — companies along with a dozen employees and three million users, companies amassing as much data as they can easily as section of a speculative bet on being able to monetize it, companies that face no penalty for shorting on security and that hasten their own demise if they divert their stretched resources to protecting user data.
It’s wonderful and crucial that Consumer Reports is starting to job on this, though they have actually their job cut out for them (then some).
The ability to link accounts opened the means to the initial vulnerability we found. It was a startling one, which could have actually been discovered even by casual Glow users. (To evaluate the Glow app, Consumer Reports engineers established a number of test accounts; we didn’t tamper along with accounts or passwords belonging to genuine users.)
Let’s say a woman named Cathe has actually been using Glow for awhile. She and her husband, Joe, are hoping to conceive a child, and Cathe decides to share her good health data along with him. Joe downloads the app, opens his own account along with Glow, and sends a request to Cathe asking to link their two accounts. Once that’s accomplished, they can easily see each other’s data and Joe get hold of alerts such as “Cathe is ovulating!”
So, what’s the problem?
We discovered that once Joe sent the request to Cathe, their accounts were linked and he could see much of her data—devoid of Cathe having to do anything. She received an email saying that Joe had gained the request, however it didn’t matter if that email got stuck in her spam folder, or if she just never ever opened it. She did not have actually to acknowledge or accept the invitation.
As long as Cathe’s account wasn’t already linked along with an additional one, the initial person that invited her instantly gained access to her data.
Glow Pregnancy App Exposed Women to Privacy Threats, Consumer Reports Finds [Jerry Beilinson/Consumer Reports]
report this ad
Bruce Schneier warns us that the Internet of points security dumpster-fire isn’t merely inadequate laptop security for thermostats: rather, that “software control” (of an ever-widening pool of technologies); interconnections; and autonomy (units created to act devoid of human intervention, frequently responding faster compared to humans possibly could) creates an urgency over security questions that presents an urgent […]
READ THE REST
The Electronic Frontier Foundation has actually merely filed a lawsuit that challenges the Constitutionality of Section 1201 of the DMCA, the “Digital Rights Management” provision of the law, a notoriously overbroad law that bans tasks that bypass or weaken copyright access-manage systems, including reconfiguring software-enabled devices (making sure your IoT light-socket will certainly accept third-celebration lightbulbs; tapping […]
READ THE REST
Exiled NSA whistleblower Edward Snowden and legendary hardware hacker Andrew bunnie” Huang have actually published a paper detailing their brand-new “introspection engine” for the Iphone, an external hardware case that clips over the phone and probes its internal components along with a miniature oscilloscope that reads all of the radio traffic in and from the device to […]
READ THE REST
Looks love all your potential employers are hiring candidates along with programming skills (which you don’t have). along with all the languages out there today, it’s durable to already know where to start.along with the Finish Front-End to Back-End Coding Bundle, you can easily beef your return to up in all of the right places, no confusion necessary. This package of […]
READ THE REST
Those of us that adore music wish we could listen to it 24/7. But it’s impossible once we’re attempting to converse along with our friends, or once are swimming in the local pool.That is, until now. The KOAR Bone Conduction Bluetooth Headset, now 48% off, has actually changed the audio game.gained along with lightweight titanium memory metal, this headset boasts patented bone conduction technology to transport sound […]
READ THE REST
It’s one thing to appreciate dinner at home and a nice glass of Cabernet Sauvignon along with your finest friend, Netflix, however it’s an additional thing entirely to make that meal from scratch and get hold of that wine delivered right to your doorstep.however exactly what if we told you there’s a means to make this possible? To maintain your social life, […]
READ THE REST
report this ad