The Daily Dot is reporting that mental health app Feelyou patched a vulnerability this weekend that saw the email addresses for its nearly 80,000 exposed online.
Up until last week…, anyone could obtain the personal email addresses of users and link them to anonymous posts by simply accessing the app’s GraphQL application programming interface (API), which did not require any authentication to do so.
… a malicious actor with access to the API could have scraped all the data en masse.
The issue was discovered by security researcher maia arson crimew and affected the app’s 77,967 users in 177 countries. After checking the API once again, maia confirmed that the data was no longer accessible. The company also said it intends to reach out to users to inform them of the issue.
“When security of healthcare data is being discussed, the examples used are usually Electronic Healthcare Records or physical healthcare devices. When you consider the impact of the names of the users of digital mental health services becoming public through a breach, it’s easy to understand why mental health data should be considered at the very top of the sensitive healthcare data tree. This is why Approov has been involved in an initiative to improve the general level of API and app security by educating and demonstrating best practice across this key sector. As tragic as this data breach is, and it is tragic, I hope it will serve as a wakeup call to digital mental health providers to seek expert guidance immediately and strengthen their API and app security.”