According to new findings from Ovie, a hacktivist and security researcher, the "WhatToExpect" pregnancy app has some serious security problems that could put users at risk. Ovie discovered multiple vulnerabilities, including a major issue with the app's password reset feature, which lets hackers easily take over user accounts. This is especially concerning for people storing sensitive reproductive health and abortion data in the app.
Ovie found that an exposed API endpoint could let hackers reset passwords without any proper checks, giving them full access to accounts. This is concerning with the current political climate around abortion access in the U.S., where abortion laws have been a huge focus since Roe v. Wade was overturned.
In response to this, companies have recognized the responsibility to protect sensitive health data. Google, for example, has taken steps to
limit the collection of location data, especially for visits to clinics that provide abortion services. By disabling location history tracking for such visits, Google is helping to ensure that users' data is not misused, particularly in states where reproductive rights are criminalized.
If this data ended up in the wrong hands, users could face serious privacy violations like harassment, doxing, or worse, especially in places where reproductive rights are criminalized.
On top of that, Ovie's research showed that "WhatToExpect" is mishandling Personally Identifiable Information (PII). The app is exposing user data, like names, addresses, and reproductive details, with hardly any security measures in place. In some cases, things like the user’s due date and even the baby’s gender are being exposed through insecure APIs. Even worse, some data is stored in plain text, which raises major concerns about whether the app follows basic data protection practices like encryption.
www.neowin.net
