Mental health app Feelyou patched a vulnerability this weekend that saw the email addresses of its nearly 80,000 users exposed online.
Owned by the Japan-based company bajji, Feelyou is self-described as the first journaling and social mood tracking app. It allows users to share their feelings with others either publicly or anonymously. It’s tagline is, “It’s O.K. not to be O.K.”
The app allows you to track your mood and include notes on it, which others can respond to. It says the community it fosters can help improve both people’s moods and the environment.
Up until last week, however, anyone could obtain the personal email addresses of users and link them to anonymous posts by simply accessing the app’s GraphQL application programming interface (API), which did not require any authentication to do so.
The issue was discovered by security researcher maia arson crimew and affected the app’s 77,967 users in 177 countries.
In a statement to the Daily Dot, maia stressed the importance of approaching apps that involve mental health with caution.
“What I think is important here is that we really need to think about who we trust with our (mental) health data, especially in the U.S. post-Roe v. Wade era, but also everywhere and always,” maia told the Daily Dot. “There is no way to know how well secured it is, and even seemingly anonymous posts can probably be linked to you.”
The Daily Dot, after being provided with a full list of email addresses by maia, reached out to numerous Feelyou users. A user, who claimed to be from Italy and asked to remain anonymous, admitted to using the app in the past, verifying the dataset.
After being contacted by the Daily Dot, bajji founder Noritaka Kobayashi stated that the company had confirmed that the security issue had been present since at least Jan. 25 but asserted that no evidence of an attack was found.
Users’ post history and profile information were also accessible. And although such information is technically public on the app, a malicious actor with access to the API could have scraped all the data en masse.
Kobayashi said the vulnerability was fixed over the weekend after a board meeting was held, further stressing that the app did not collect personal information such as names, addresses, birth dates, genders, phone numbers, country of origin, or credit card data.
“Since Feelyou concept is a safe place to vent honest feelings, we do not gather any personal information,” Kobayashi added. “We believe Feelyou app is secure again.”
After checking the API once again, maia confirmed that the data was no longer accessible. The company also said it intends to reach out to users to inform them of the issue.
Apps that collect health-related data have come under increased scrutiny in the wake of the Supreme Court’s ruling that abortion is not a federally protected right. Experts have warned that law enforcement could either request data from an app or buy it from a data broker in order to investigate those who may have had an abortion.
Update 9:47am CT, July 19: In a blog post and an announcement in its app on Tuesday, Feelyou informed its customers of the now-patched vulnerability.
“A technical writer contacted us on July 14, and we investigated the issue from July 14 to July 15, and completed the fix on Saturday, July 16.”