What To Expect, a popular pregnancy tracking app on both iOS and Android, is ignoring multiple serious vulnerabilities in its app, including one which allows a full takeover of a user’s account, exposing their sensitive reproductive health information.
The vulnerabilities are particularly sensitive at a time when advocates for reproductive health can become targets of harassment.
In a write-up he shared with 404 Media before publication, security researcher Ovi Liber said “exposure of reproductive health information could have severe consequences, leaving users vulnerable to harassment, doxing, incrimination, or even targeted attacks by malicious actors.”
The What to Expect app on Android has more than five million downloads, according to the app’s Google Play Store page. On iOS it has more than 340,000 reviews. What to Expect describes itself as “the world’s best-known, most trusted pregnancy and parenting brand, offers an all-in-one pregnancy and baby tracker app with thousands of medically accurate articles to help you navigate pregnancy and parenthood.” The app provides community feeds focused on particular parts of pregnancy and users can follow and engage in, such as breastfeeding, according to screenshots on the app’s Google Play Store page. Users can input information about their own baby, such as when they pooped, when they slept, and when they ate.
The What to Expect app is part of the wider What to Expect pregnancy and parenting brand, which started with the massively popular book What to Expect When You’re Expecting.
The first security issue Liber found revolves around an exposed API endpoint for the What to Expect app. This API does not require authentication and has no rate limiting, Liber writes. This API handles password reset requests, and because of the lack of rate limiting can be brute forced, according to Liber. “An account could be taken over in an extremely short amount of time,” Liber writes.
“The reset code lifetime exists for an overzealous amount of time, 1 hour, which provides plenty of opportunity for an attacker to brute force it. To brute force such a code in 1 hour, is entirely feasible with a basic modern consumer CPU. If an attacker leveraged a GPU, it would be trivial—using an NVIDIA V100, the brute-force process could be completed in around 5 minutes, if not less,” he adds.
Liber said they found another issue where the What To Expect app is exposing the email addresses of all group administrations in the community forum. “It poses a serious privacy risk, increasing the chances of targeted harassment or attack,” Liber writes.
In his write-up, Liber says he disclosed the vulnerabilities to What To Expect but never received a reply. He says he first tried to contact the company on October 24 to no response. A few days later he contacted the company’s public relations team and again did not receive a reply.
“Responsible disclosure is a fundamental practice in ethical hacking, designed to protect users by informing app owners of security and privacy vulnerabilities. Typically, security researchers follow a process of privately disclosing these issues, giving developers the opportunity to resolve them before public disclosure,” Liber writes. “However, when app owners are unresponsive or unwilling to take action, the timeline for disclosure may be shortened to prioritize user safety. When security risks expose users to potential harm—such as unauthorized access to sensitive data or privacy breaches—it becomes essential to inform users or the broader security community.”
What to Expect did not respond to a request for comment from 404 Media.
“The organization’s inaction raises significant ethical concerns about its commitment to safeguarding user privacy and security. This research aims to bring awareness to these vulnerabilities, emphasizing the critical importance of digital rights and user protection in applications that handle sensitive personal data,” Liber wrote.
In February, TechCrunch reported that Liber found a vulnerability in the fertility tracking app Glow that exposed the personal data of around 25 million users. Glow fixed that issue.