Halfway through my Monday afternoon workout last week, I got a message from a security researcher with a screenshot of my Peloton account data.
My Peloton profile is set to private and my friend’s list is deliberately zero, so nobody can view my profile, age, city, or workout history. But a bug allowed anyone to pull users’ private account data directly from Peloton’s servers, even with their profile set to private.
Peloton, the at-home fitness brand synonymous with its indoor stationary bike, has more than three million subscribers. Even President Biden is said to own one. The exercise bike alone costs upwards of $1,800, but anyone can sign up for a monthly subscription to join a broad variety of classes.
As Biden was inaugurated (and his Peloton moved to the White House — assuming the Secret Service let him), Jan Masters, a security researcher at Pen Test Partners, found he could make unauthenticated requests to Peloton’s API for user account data without it checking to make sure the person was allowed to request it. (An API allows two things to talk to each other over the internet, like a Peloton bike and the company’s servers storing user data.)
But the exposed API let him — and anyone else on the internet — access a Peloton user’s age, gender, city, weight, workout statistics, and if it was the user’s birthday, details that are hidden when users’ profile pages are set to private.
Masters reported the leaky API to Peloton on January 20 with a 90-day deadline to fix the bug, the standard window time that security researchers gi ..