Critical Security Flaws Found in “What to Expect” Pregnancy App

The popular pregnancy tracking application What to Expect, available on both iOS and Android, has been found to contain critical vulnerabilities that could enable the complete takeover of user accounts and the leakage of sensitive reproductive health data. These risks are particularly alarming given the increasing threats of harassment faced by advocates of reproductive rights.

Cybersecurity researcher Ovi Liber, who shared his findings with 404 Media prior to their publication, warned: “Exposure of reproductive health information could have severe consequences, leaving users vulnerable to harassment, doxing, incrimination, or even targeted attacks by malicious actors.”

Broad Reach and Multifaceted Features

According to Google Play, the app has been downloaded over five million times on Android devices. On iOS, it has garnered more than 340,000 reviews. Described by its developers as “the most recognized and trusted brand in pregnancy and parenting,” What to Expect offers a comprehensive platform featuring thousands of medically accurate articles. Beyond educational content, the app provides tools for tracking a child’s development, including feeding times, sleep schedules, and other key milestones.

API Vulnerabilities and Associated Risks

Ovi Liber identified several significant security flaws within the app’s infrastructure, the most critical of which involves an unsecured API endpoint responsible for password resets. The lack of authentication and rate limiting allows attackers to breach user accounts in an alarmingly short period.

The researcher explained that the password reset code remains valid for an hour, offering attackers ample time to crack it. Using a modern CPU, this can be achieved within the one-hour window. With a high-performance GPU, such as the NVIDIA V100, the attack time is reduced to a mere five minutes.

Additionally, an open vulnerability exposing the email addresses of group administrators in the app’s community forums further amplifies the risks, increasing the likelihood of targeted harassment and attacks on users.

Lack of Developer Response

Liber made repeated attempts to notify the app’s developers. His first outreach on October 24 went unanswered, followed by subsequent attempts to contact the company’s PR department, which were similarly ignored. Requests for comment from journalists at 404 Media were also met with silence.

In his report, Liber emphasized the importance of adhering to principles of responsible disclosure, wherein vulnerabilities are confidentially reported to developers to allow time for remediation prior to public release. However, he noted that the company’s failure to respond could hasten the disclosure process in the interest of user safety.

A Call for Accountability

The uncovered vulnerabilities highlight critical gaps in security practices within widely used applications, particularly those handling sensitive health information. As the developers of What to Expect remain unresponsive, the onus is now on users to exercise caution while the broader industry grapples with the implications of these findings.