Feelyou mental health app says emails of 78,000 users exposed in breach
Popular mental health app Feelyou announced a platform vulnerability this week that exposed the email addresses of nearly 78,000 of its users.
Security researcher maia arson crimew told The Record she discovered the issue while reverse engineering several other mental health trackers and similar apps.
After finding the vulnerability in the Feelyou platform, she contacted The Daily Dot, which reported the issue on Monday.
When asked for comment, Bajji – the company that owns Feelyou – directed The Record to a statement released on Tuesday disclosing that the vulnerability in the platform was patched on Saturday, July 16.
Until Saturday, anyone could see the email addresses of the app’s 77,967 users in 177 countries and tie them back to posts made on the platform. Feelyou allows users to track their mood and share their feelings on a day-to-day basis.
Feelyou’s GraphQL application programming interface did not require authentication to access, leaving it open to anyone, according to crimew.
In a statement, Feelyou said it first discovered the issue after being contacted by The Daily Dot.
“We have discovered an incident in which a user's e-mail address can be obtained from an external source only when they perform a specific operation on the Feelyou application. This problem was resolved at 15:54 on July 16, 2022 (Sat.) In Japan time,” the company said.
“Due to the modification implemented on January 26, 2022, it was found that e-mail addresses could be obtained from outside only when certain operations were performed.”
お詫びとご報告
— 小林慎和 #テクノロジーの力で世の中を1mmでもよくしたい (@noritaka88ta) July 19, 2022
Feelyouアプリにおいてメールアドレスが外部から取得可能になっていた不具合がございました。7月16日時点でその修復は完了しております。本日情報公開させて頂きました。以後再発防止に努めます。ご迷惑ご心配をおかけしましたことをお詫び申し上げます。https://t.co/yfda8Z3a8o
Feelyou claimed after an investigation their security team believes no one had accessed the information other than the researcher.
“We have also confirmed through our investigation that there was no other impact other than email addresses. Feelyou does NOT store the following information in the application: Names, addresses, telephone numbers, passwords, credit card information, and information that identifies individuals,” the company added.
In an interview, crimew said she believes the severity of the security issues in Feelyou are an outlier but noted that she does not think this necessarily matters in terms of the amount of privacy these apps can provide, given legal frameworks in most countries.
“There are certainly much more of these apps with security issues just waiting to be found, and as always under capitalism it's definitely obvious that privacy and security are more a secondary goal and selling subscriptions is usually much more central,” she said.
“I feel like that's also just generally the pitfall of a lot of these apps, they profit off of people's mental illness in often questionable ways, so to trust them with data is in my opinion kind of foolish.”
In May, Mozilla released a study on the privacy features of mental health apps like Talkspace, Better Help and Calm. The company found that almost all of the apps had serious security issues and failed to meet Mozilla’s Minimum Security Standards, like requiring strong passwords and managing security updates and vulnerabilities.
Even while allowing users to share intensely sensitive and personal issues, many of the apps routinely share data, allow weak passwords, target vulnerable users with personalized ads, and feature vague and poorly written privacy policies.
Mozilla specifically spotlighted the vague and messy privacy policies of Better Help and Better Stop Suicide as well as the way apps like Talkspace collect chat transcripts. The researchers noted that mental health apps are a “data harvesting bonanza,” explaining that “nearly all the apps reviewed gobble up users’ personal data — more than Mozilla researchers have even seen from apps and connected devices.”
“Hundreds of millions of dollars are being invested in these apps despite their flaws,” said Mozilla Researcher Misha Rykov. “In some cases, they operate like data-sucking machines with a mental health app veneer. In other words: A wolf in sheep’s clothing.”
The researchers also found that some apps harvest data from third-party platforms like Facebook. Mozilla released a follow-up study last week showing that mental health apps for teens had similarly egregious privacy policies.
Many of the mental health apps crimew has examined contain analytics and tracker libraries, giving companies troves of metadata regarding usage, she said.
While she suggested these apps should store health data locally, she noted that it is far from impossible for there to be legal ways for governments to find out you are using it.
“I feel like the most important thing is for these companies to realize that even though it might not sound sexy to their financial department, actually truly prioritizing the security of their product and the privacy of their users absolutely pays off in the long run, and even let's you brag about it on your landing pages,” she said.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.