Walgreen Mobile App leaks Customers Credentials and Prescription

Popular Walgreens Pharmacy Chain alerts that a bug may have revealed sensitive data in its official mobile app including the full names of customers and information about drug prescriptions they take.

The safety issue was the result of a "bug" in Walgreens ' mobile app's personal secure message feature. The mobile communication feature is a service for registered clients to receive SMS updates, offers and coupons for prescription recharge.

 While Walgreens did not explain the technical error, it claimed that an internal code error allowed certain customers using the mobile application to access those personal messages that were stored in the database.

In our enquiry, Walgreens found that, according to a consumer notice filed with the Office of the Prosecutor General and published on Friday, certain messages containing limitable health-related information were involved in this occurrence, for a small proportion of customers impacted by this occurrence.

 Our assumption is that you were part of the affected customer group and that between January 9, 2020 and January 15, 2020, some customers on the Walgreens mobile app may have seen one or more personal messages containing your limited health information.

These data may include first and last names of customers, prescription and name of drugs, pharmacy and shipping adresses which customers have taken prescriptions. Walgreens said financial and social security information numbers have not been compromised

Following the discovery of the issue on January 15, Walgreens took immediate steps to disable the Walgreens mobile app message viewing capability to prevent further disclosure, before a permanent correction has been implemented, according to the notification. Walgreens will conduct more testing to ensure that adjustments will not impact the privacy of consumer data, as required.

If the error in the application had been properly tested, the quality assurance team should have detected this type of problem and never seen it in development, "he said." It is regrettable that mistakes are frequently made and due diligence checks are missed to reach a release date. It also raises questions as to why this information was not encrypted so that it would be unreadable even if it was written into a database and how do individuals have access to a copy of the database?

All data available on a mobile device would be encrypted via the user keys and the app would have only access to information related to a specific user.

Walgreens suggested that customers should check their medical records and prescriptions. The organization did not say how many users were affected and how often the exposed information was actually accessed (Threatpost was asked for further comments).

However, the total number of persons affected is based on the customer base of Walgreens. According to its website, the company communicates with nearly 8 million consumers online and in stores every day and has planned 1,2 billion prescriptions for 30 days in fiscal 2019. More than 10 million downloads are also available on the Walgreens mobile app on the Google Play app market.

Oliveira said that the leakage of prescripts is a cause of concern, as it exposes health conditions that can be used in blackmailing, for example. For example, a bad actor with this data may threaten employers with the conditions of victims that they may not want to show.

Previous Post Next Post