A bug in the Walgreens mobile app leaked customers’ messages

Pharmacy store chain Walgreens has disclosed a data breach that impacted some customers of its mobile application.

The mobile app allows users to refill prescriptions by scanning barcode, manage medications with Pill Reminder, set Rx alerts for refills and pickups, set up a video chat with doctors, refill and check prescription status, print photos, create personalized folded photo cards, and customize décor items.

The app already has over 10,000,000 millions of Android installs individuals and 50 million iOS installs.

According to the company, customers’ messages within the Walgreens mobile application may have been viewed by other users due to a bug in the personal secure messaging feature. The company discovered the issue on January 15, 2020, data was exposed between January 9 and January 15, 2020.

“We recently learned of unauthorized disclosure of one or more of your secure messages within the Walgreens mobile app. We are contacting you to provide you with information about the incident and also with information about steps you can take to protect yourself.” reads the data breach notification letter sent to the users.

“Our investigation determined that an internal application error allowed certain personal messages from Walgreens that are stored in a database to be viewable by other customers using the Walgreens mobile app. Once we learned of the incident, Walgreens promptly took steps to temporarily disable message viewing to prevent further disclosure and then implemented a technical correction that resolved the issue,”

The investigation conducted by the company revealed that information accessed by other customers might include first and last name, prescription number and drug name, store number, shipping address where applicable. The company revealed that financial information, such as Social Security number or bank account information, was not exposed.

At the time, it is nor clear how many customers have been affected.

Walgreens disabled the message viewing feature implemented in the mobile app to prevent further disclosure, meantime the company is working at a permanent correction.

“Walgreens promptly took steps to disable the message viewing feature within the Walgreens mobile app to prevent further disclosure until a permanent correction was implemented to resolve the issue. Walgreens will conduct additional testing as appropriate for future changes to verify the change will not impact the privacy of customer data,” concludes the notification.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – mobile app, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.