Man
Professional
- Messages
- 3,079
- Reaction score
- 615
- Points
- 113
Developers are in no hurry to solve security problems.
The popular pregnancy tracking app What to Expect, available on iOS and Android, has been found to have serious vulnerabilities that could lead to a complete takeover of user accounts and the leakage of sensitive reproductive health information. These risks become especially relevant against the backdrop of threats associated with harassment against defenders of reproductive rights.
Security researcher Ovi Lieber, who presented his findings to 404 Media prior to their publication, pointed out that "the leakage of reproductive health data can have serious consequences, leaving users vulnerable to harassment, doxxing, criminal prosecution, or even targeted attacks by malicious actors."
According to the researcher, the password reset code is valid for an hour, which gives attackers enough time to guess it. With a modern processor, hacking is possible within an hour, and the use of the NVIDIA V100 GPU reduces the attack time to 5 minutes.
An additional threat is the open access to the email addresses of group administrators in the application's community forum. This vulnerability increases the risk of targeted attacks and harassment of users.
In his research, he emphasized the importance of responsible vulnerability disclosure principles. Usually, such issues are resolved confidentially so that developers can fix the problem before it is made public. However, according to him, ignoring such messages by the company can speed up the publication of data in the interests of user safety.
Source
The popular pregnancy tracking app What to Expect, available on iOS and Android, has been found to have serious vulnerabilities that could lead to a complete takeover of user accounts and the leakage of sensitive reproductive health information. These risks become especially relevant against the backdrop of threats associated with harassment against defenders of reproductive rights.
Security researcher Ovi Lieber, who presented his findings to 404 Media prior to their publication, pointed out that "the leakage of reproductive health data can have serious consequences, leaving users vulnerable to harassment, doxxing, criminal prosecution, or even targeted attacks by malicious actors."
Extensive audience and app functionality
According to Google Play, the app has more than five million downloads on Android. On iOS, it has collected more than 340 thousand reviews. The developers describe What to Expect as "the most well-known and trustworthy brand in the field of pregnancy and parenting, providing an all-in-one app with thousands of medically accurate articles." In addition to informational content, the application allows users to monitor the development of the child, recording, for example, the time of feeding, sleep and other parameters.API Vulnerabilities and Risks
Security researcher Ovi Lieber discovered several serious security vulnerabilities in the application. The main problem is related to an unsecured API endpoint that is responsible for resetting passwords. The lack of authentication and restrictions on the number of requests allows attackers to compromise user accounts in an "extremely short time."According to the researcher, the password reset code is valid for an hour, which gives attackers enough time to guess it. With a modern processor, hacking is possible within an hour, and the use of the NVIDIA V100 GPU reduces the attack time to 5 minutes.
An additional threat is the open access to the email addresses of group administrators in the application's community forum. This vulnerability increases the risk of targeted attacks and harassment of users.
Lack of developer response
Lieber repeatedly tried to contact the developers of the application. The first attempt to notify the company of the vulnerabilities was made on October 24, then the researcher contacted the PR department, but there was no response. What to Expect also ignored 404 Media's request for comment on the situation.In his research, he emphasized the importance of responsible vulnerability disclosure principles. Usually, such issues are resolved confidentially so that developers can fix the problem before it is made public. However, according to him, ignoring such messages by the company can speed up the publication of data in the interests of user safety.
Source
