Recently patched vulnerabilities in Peloton’s bike software may have allowed unauthorized users to view sensitive user data, new security research published this week found.
Pen Test Partners, a cybersecurity group, said that earlier this year it discovered vulnerabilities allowing unauthenticated users to exploit Peloton’s API, the software that facilitates communication between the bikes and company servers.
The vulnerabilities could potentially allow an individual to view personal information on Peloton users, including their location, gender and age, as well as class attendees, even if users have the private mode turned on.
ADVERTISEMENT
Pen Test Partners said it notified Peloton, giving the company 90 days to patch the vulnerabilities before going public. But according to a blog post published by Pen Test Partners on Wednesday, Peloton “acknowledged the disclosure” but did not “fix the vulnerability.”
TechCrunch first reported the vulnerabilities, which were made public the same week Peloton was forced to issue a recall for all of its treadmills following a child's death and dozens of reported injuries by users. The treadmills used the same vulnerable API.
A spokesperson for Peloton pushed back against the idea that personal data may have been breached, telling The Hill in an emailed statement that “the identification of vulnerabilities by itself does not constitute a breach.”
“No software is immune from bugs, and we aim to responsibly investigate reported vulnerabilities that we deem legitimate,” the spokesperson said. “Our security team is continuing their work to monitor attempts at unauthorized access by exploitation of these vulnerabilities.”
The spokesperson added that Peloton took action and addressed the vulnerabiliti ..
Support the originator by clicking the read the rest link below.
