[0x0v1] Newsletter | Avoid WhatToExpect pregnancy app, if you care about your privacy & security

Ovi
Ovi

There's snow outside today as winter closes in, and it's feeling pretty cozy. I'm sitting here with a coffee, starting to write some proposals for civic society groups, and it's been on my mind to write about the WhatToExpect palaver. In my latest piece of research for REprivacy, I started to look at the WhatToExpect pregnancy & fertility application—an app built to profit from women's reproductive health data under the guise of social healthcare. This app is built by a company that demonstrably does not care about the security and privacy of its users.

I found two minor vulnerabilities and one major vulnerability, which included a full account takeover due to a weakness in their password reset mechanism (CWE-640).

RE:privacy | Critical vulnerabilities & privacy concerns in WhatToExpect fertility app
A high level summary of this issue is provided below. A deep technical breakdown of the vulnerabilities is provided later on to supporters of my work. Executive Summary This research reveals several critical vulnerabilities in the WhatToExpect application, exposing users’ sensitive personal and reproductive health information to potential misuse and

I initially sought to reach out to WhatToExpect to responsibly disclose these issues. I made numerous attempts to communicate the problems with them but received no replies. In speaking with Joe over at 404Media about the potential for them not addressing the issues, Joe also reached out to them and, likewise, received no reply. After one month of attempts, I decided to publicly disclose the issue for the protection of the users. In my report, I stated:

Responsible disclosure is a fundamental practice in ethical hacking, designed to protect users by informing app owners of security and privacy vulnerabilities. Typically, security researchers follow a process of privately disclosing these issues, giving developers the opportunity to resolve them before public disclosure. However, when app owners are unresponsive or unwilling to take action, the timeline for disclosure may be shortened to prioritize user safety. When security risks expose users to potential harm—such as unauthorized access to sensitive data or privacy breaches—it becomes essential to inform users or the broader security community. This approach balances the ethical obligation to protect end-users with the need to hold application owners accountable for securing their platforms. In this case, my goal is to ensure that users are aware of potential risks, especially given the silence from the app owners, and to encourage a swift resolution to safeguard personal data and maintain user trust.

This statement couldn't be more true after WhatToExpect's actions to the public disclosure.

After publicly disclosing the issues on my website, the app developers, while still having not communicated with me at all, patched the vulnerabilities—much like what Glow Fertility did. Following this, they published a vulnerability disclosure program through ZiffDavis on their contact page, almost as a brazen indirect acknowledgment of my findings and our reporting.

This vulnerability disclosure program does not pay security researchers for their findings. Surprising? No, not really. They explicitly state that no monetary reward will be offered for improving the security of their multi-million-dollar product and multi-million-user customer base. This is contrary to products like Flo and Ovia Health, who have worked quickly, efficiently, and happily with me to fix issues and compensate me for my research.

Joe from 404Media reached out to them again to ask why they have not communicated anything to their customers, to myself (the finder of these vulnerabilities), or to Joe, who was covering the story. They, of course, did not respond.

Much like the situation with the Glow Fertility women's health app, these companies show no recourse for their actions. They are operating in a landscape where they are unfazed by external pressures and are able to continue profiting off their customers with no accountability. While this research has indeed protected the consumers of this product by making it more secure, the company continues unfazed, with no consequences for their inaction and lack of concern for critical security and privacy matters within their product. A true example of how corporate companies are dominating our digital rights by being driven solely by internal pressures.

While I'm here, I wish to thank the paid supporters of my site and research. As you know, I'm an independent researcher working only with civic society groups. This is made possible by grants, donors, and supporters of this site. I want to thank the people who support me and this work. Kaia, Dismantl, Retla, Andrew, Gasdas, Jan, Idel & Hannon—thank you for contributing to support my work through this site. You help make independence possible, in a landscape where security research is destined to be consumed by the corperate monsters.