A security researcher, Ovi Liber, has discovered significant security vulnerabilities in the popular pregnancy tracking app What to Expect that put its users’ sensitive personal and reproductive health data at risk. Liber identified multiple issues, including an insecure password reset mechanism, overexposure of user data through the app’s API, and the exposure of group administrators' email addresses. And despite attempts to alert the app’s developers to these flaws, neither Liber nor journalists at 404 Media, who covered this story, received a response, leaving millions of users vulnerable to potential exploitation.
These security vulnerabilities are particularly concerning given the current legal environment, where restrictive abortion laws in many U.S. states criminalize aspects of reproductive health care; creating an elevated risk for users whose data could be used against them in legal or extralegal contexts.
The identified security vulnerabilities
1. Insecure password reset mechanism
The What to Expect app’s password reset feature has several critical weaknesses that make it highly susceptible to brute-force attacks. The system relies on a six-digit numeric reset code valid for one hour, allowing attackers ample time to guess the code. Compounding this issue, the API does not limit the number of attempts an attacker can make to guess the reset code, nor does it validate the source of the request via IP checks or user-specific restrictions.
These flaws enable an attacker to initiate a password reset for any user, systematically brute-force the code, and gain unauthorized access to their account. Once inside, the attacker can access deeply personal and sensitive information, including reproductive health history, which could lead to personal or legal consequences for the victim.
Read more: The Worst Passwords of 2024: Are You Guilty of Using One?
2. Insecure API exposes personally identifiable information (PII)
The app’s API also overexposes sensitive user data. If an attacker obtains a valid user ID and authentication token, they can access a range of information, including:
- Names, addresses, and email addresses
- IP addresses and account details
- Reproductive health data, such as pregnancy histories, baby identifiers, and records of pregnancy losses or abortions
This information is returned in plain text through the API, without any encryption to secure data at rest. Additionally, the API overexposes data, meaning it provides more information than necessary for the app’s functionality, violating basic principles of data minimization.
In an exploit scenario, an attacker intercepting a user ID and token – through a data breach or a man-in-the-middle attack – could query the API and retrieve sensitive information.
Read more: The Best VPNs for Protecting Your Privacy
3. Exposure of group administrator email addresses
Another vulnerability allows the app’s API to expose the email addresses of administrators for community forums. This flaw is particularly concerning for administrators of sensitive groups, such as those focused on abortion rights. Exposing this information increases the risk of targeted harassment, phishing attacks, or other forms of exploitation.
Why these vulnerabilities are especially dangerous
Since the Supreme Court’s 2022 decision overturning Roe v. Wade, states have passed increasingly restrictive abortion laws, with some criminalizing out-of-state travel for abortion care or penalizing those who assist individuals in obtaining abortions. For example:
- Alabama: Authorities have claimed the authority to prosecute individuals who assist others in traveling out of state for abortion services.
- Idaho: The state has enacted legislation criminalizing assistance to minors seeking abortions without parental consent.
- Texas: The state has attempted to subpoena medical records of residents who have obtained abortions in other states.
The American Bar Association (ABA) has warned that digital health data is increasingly being weaponized in legal cases, with location data, app activity, and search histories used to incriminate individuals seeking abortions or those assisting them.
And even in situations where the government would be required to gain a subpoena to access data from apps like What to Expect, some states have enacted laws allowing private rights to action suits against those who assist with abortions. So abusive spouses or even unrelated vigilantes could hack the accounts of What to Expect users to find grounds to pursue legal action against individual women or their medical providers.
Lack of Accountability
According to Liber, attempts to address these vulnerabilities with the app’s developers have been unsuccessful. Liber first reached out to What to Expect in October 2024, providing detailed disclosures of the flaws. When these attempts were ignored, journalists from 404 Media also contacted the app’s developers and public relations team, but they reported that no response was provided.
Many health-related apps fall outside the scope of the Health Insurance Portability and Accountability Act (HIPAA), meaning they are not legally obligated to adhere to the same privacy standards as medical providers. Instead, they rely on voluntary compliance with best practices. The issues with What to Expect highlight the need for stronger regulatory oversight. The ABA has called for HIPAA-like protections to be extended to digital health platforms, ensuring that encryption, secure authentication, and data minimization become standard requirements. Such measures are essential for protecting users, particularly those relying on these apps for sensitive health information.
[Image credit: Techlicious/Midjourney]
Josh Kirschner is the co-founder of Techlicious and has been covering consumer tech for more than a decade. Josh started his first company while still in college, a consumer electronics retailer focused on students. His writing has been featured in Today.com, NBC News and Time.
