A bug in the Walgreens mobile app leaked customers’ messages

Pharmacy store chain Walgreens has disclosed a data breach that impacted some customers of its mobile application.

Pharmacy store chain Walgreens has disclosed a data breach that impacted some customers of its mobile application.

The mobile app allows users to refill prescriptions by scanning barcode, manage medications with Pill Reminder, set Rx alerts for refills and pickups, set up a video chat with doctors, refill and check prescription status, print photos, create personalized folded photo cards, and customize décor items.

The app already has over 10,000,000 millions of Android installs individuals and 50 million iOS installs.

According to the company, customers’ messages within the Walgreens mobile application may have been viewed by other users due to a bug in the personal secure messaging feature. The company discovered the issue on January 15, 2020, data was exposed between January 9 and January 15, 2020.

“We recently learned of unauthorized disclosure of one or more of your secure messages within the Walgreens mobile app. We are contacting you to provide you with information about the incident and also with information about steps you can take to protect yourself.” reads the data breach notification letter sent to the users.

“Our investigation determined that an internal application error allowed certain personal messages from Walgreens that are stored in a database to be viewable by other customers using the Walgreens mobile app. Once we learned of the incident, Walgreens promptly took steps to temporarily disable message viewing to prevent further disclosure and then implemented a technical correction that resolved the issue,”

The investigation conducted by the company revealed that information accessed by other customers might include first and last name, prescription number and drug name, store number, shipping address where applicable. The company revealed that financial information, such as Social Security number or bank account information, was not exposed.

At the time, it is nor clear how many customers have been affected.

Walgreens disabled the message viewing feature implemented in the mobile app to prevent further disclosure, meantime the company is working at a permanent correction.

“Walgreens promptly took steps to disable the message viewing feature within the Walgreens mobile app to prevent further disclosure until a permanent correction was implemented to resolve the issue. Walgreens will conduct additional testing as appropriate for future changes to verify the change will not impact the privacy of customer data,” concludes the notification.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – mobile app, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]