Pregnancy Tracking App at Risk of Attack

Hey there, Joseph here with some pretty worrying vulnerabilities in a very popular pregnancy tracking app. What to Expect, the app, has not responded to attempts to responsible disclose these issues, meaning that they're still very much active. The security researcher who found them has decided to go loud now instead. Maybe the public will decide to avoid this app in the future? The full story follows below.

What To Expect, a popular pregnancy tracking app on both iOS and Android, is ignoring multiple serious vulnerabilities in its app, including one which allows a full takeover of a user’s account, exposing their sensitive reproductive health information.

The vulnerabilities are particularly sensitive at a time when advocates for reproductive health can become targets of harassment.

In a write-up he shared with 404 Media before publication, security researcher Ovi Liber said “exposure of reproductive health information could have severe consequences, leaving users vulnerable to harassment, doxing, incrimination, or even targeted attacks by malicious actors.”

This segment is a paid ad. If you’re interested in advertising, let's talk.

Generative AI (GenAI) chatbots are changing the way businesses engage with customers by providing intelligent, round-the-clock support. However, this technology comes with serious risks, including the potential for unsafe responses and the mishandling of sensitive requests, which can jeopardize a company’s reputation and customer safety.

In ActiveFence’s latest report, we explore these vulnerabilities via a case study from the travel industry to highlight broader implications for business using GenAI-powered applications. It also examines the challenges faced by travel companies, including risks to brand integrity and safety concerns related to user recommendations. Plus, we provide practical strategies for improving safety measures and protecting your GenAI applications from potential threats.

You’ll also find real-life examples of how our researchers manipulated the AI systems with risky prompts to reveal unsafe advice.
Stay informed and safeguard your business—read the full report today.

The What to Expect app on Android has more than five million downloads, according to the app’s Google Play Store page. On iOS it has more than 340,000 reviews. What to Expect describes itself as “the world’s best-known, most trusted pregnancy and parenting brand, offers an all-in-one pregnancy and baby tracker app with thousands of medically accurate articles to help you navigate pregnancy and parenthood.” The app provides community feeds focused on particular parts of pregnancy and users can follow and engage in, such as breastfeeding, according to screenshots on the app’s Google Play Store page. Users can input information about their own baby, such as when they pooped, when they slept, and when they ate.

The What to Expect app is part of the wider What to Expect pregnancy and parenting brand, which started with the massively popular book What to Expect When You’re Expecting.  

The first security issue Liber found revolves around an exposed API endpoint for the What to Expect app. This API does not require authentication and has no rate limiting, Liber writes. This API handles password reset requests, and because of the lack of rate limiting can be brute forced, according to Liber. “An account could be taken over in an extremely short amount of time,” Liber writes. 

“​​The reset code lifetime exists for an overzealous amount of time, 1 hour, which provides plenty of opportunity for an attacker to brute force it. To brute force such a code in 1 hour, is entirely feasible with a basic modern consumer CPU. If an attacker leveraged a GPU, it would be trivial—using an NVIDIA V100, the brute-force process could be completed in around 5 minutes, if not less,” he adds.

Liber said they found another issue where the What To Expect app is exposing the email addresses of all group administrations in the community forum. “It poses a serious privacy risk, increasing the chances of targeted harassment or attack,” Liber writes.

In his write-up, Liber says he disclosed the vulnerabilities to What To Expect but never received a reply. He says he first tried to contact the company on October 24 to no response. A few days later he contacted the company’s public relations team and again did not receive a reply. 

“Responsible disclosure is a fundamental practice in ethical hacking, designed to protect users by informing app owners of security and privacy vulnerabilities. Typically, security researchers follow a process of privately disclosing these issues, giving developers the opportunity to resolve them before public disclosure,” Liber writes. “However, when app owners are unresponsive or unwilling to take action, the timeline for disclosure may be shortened to prioritize user safety. When security risks expose users to potential harm—such as unauthorized access to sensitive data or privacy breaches—it becomes essential to inform users or the broader security community.” 

What to Expect did not respond to a request for comment from 404 Media.

“The organization’s inaction raises significant ethical concerns about its commitment to safeguarding user privacy and security. This research aims to bring awareness to these vulnerabilities, emphasizing the critical importance of digital rights and user protection in applications that handle sensitive personal data,” Liber wrote.

In February, TechCrunch reported that Liber found a vulnerability in the fertility tracking app Glow that exposed the personal data of around 25 million users. Glow fixed that issue.