Mental health app Feelyou says emails from 78,000 users were breached

ByLance T. Lee

Jul 19, 2022

Popular mental health app Feelyou announced a platform vulnerability this week that exposed the email addresses of nearly 78,000 of its users.

security researcher maia arson told The Record that she discovered the problem while reverse-engineering several other mental health trackers and similar apps.

After discovering the vulnerability in the Feelyou platform, she contacted The Daily Dot, which reported the issue on Monday.

When asked to comment, Bajji – the company that owns Feelyou – directed The Record to a statement released on Tuesday revealing that the vulnerability in the platform was patched on Saturday July 16.

Until Saturday, anyone could see the email addresses of the app’s 77,967 users in 177 countries and link them to messages posted on the platform. Feelyou allows users to track their mood and share their feelings on a daily basis.

Feelyou’s GraphQL application programming interface did not require authentication to access it, leaving it open to anyone, according to crimew.

In a statement, Feelyou said it first discovered the issue after being contacted by The Daily Dot.

“We have discovered an incident in which a user’s email address can only be obtained from an external source when performing a specific operation on the Feelyou app. This issue was resolved at 3:54 p.m. on July 16, 2022 (Saturday) Japan time,” the company said.

“Due to the change implemented on January 26, 2022, it was found that email addresses could only be obtained externally when certain operations were performed.”

Feelyou claimed after an investigation that their security team believed that no one other than the researcher accessed the information.

“We have also confirmed through our investigation that there is no impact other than email addresses. Feelyou does NOT store the following information in the app: names, addresses, phone numbers, passwords, credit card information, and information that identifies individuals,” the company added.

In an interview, crimew said she thinks the severity of security issues in Feelyou is an outlier, but noted that she doesn’t think it necessarily matters in terms of how much privacy these apps can provide, given the legal frameworks of most countries.

“There are certainly a lot more of these apps with security issues just waiting to be found, and as always under capitalism, it’s obvious that privacy and security are more of a secondary goal and selling subscriptions is usually much more central,” she said.

“I feel like that’s also generally the catch of a lot of these apps, they take advantage of people’s mental illness in often questionable ways, so to trust them with data is in my opinion a bit foolish.”

In May, Mozilla published a study on the privacy features of mental health apps such as Talkspace, Better Help and Calm. The company found that nearly all apps had serious security issues and failed to meet Mozilla’s minimum security standards, such as requiring strong passwords and managing security updates and vulnerabilities.

Even while allowing users to share extremely sensitive and personal issues, many apps routinely share data, allow weak passwords, target vulnerable users with personalized ads, and feature vague and poorly written privacy policies.

Mozilla specifically shed light on the vague and messy privacy policies of Better Help and Better Stop Suicide, as well as how apps like Talkspace collect chat transcripts. The researchers noted that mental health apps are a “data-gathering bonanza,” explaining that “nearly all of the apps reviewed gobble up users’ personal data — more than Mozilla researchers even saw from apps and connected devices.

“Hundreds of millions of dollars are invested in these apps despite their flaws,” said Misha Rykov, researcher at Mozilla. “In some cases, they operate as data-sucking machines with a sanity app veneer. In other words: a wolf in sheep’s clothing.

Researchers also found that some apps harvest data from third-party platforms like Facebook. Mozilla released a follow-up study last week showing that teen mental health apps have similarly blatant privacy policies.

Many mental health apps that crimew reviewed contain analytics and tracking libraries, giving companies a wealth of metadata about usage, she said.

While she suggested these apps should store health data locally, she noted that it’s far from impossible that there are legal ways for governments to know you’re using them.

“I feel like the most important thing is for these companies to realize that while it may not sound sexy for their finance department, really prioritizing their product’s security and their users’ privacy is absolutely paying off in the long run, and even lets you brag about it on your landing pages,” she said.

Jonathan has worked around the world as a journalist since 2014. Before returning to New York, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Source link